Work projects have been kicking my ass lately, and basically sapping the will to live! In all seriousness, I am a firm believer that complexity is the ultimate evil to all things IT, not just security. It turns simple plans into extremely frustrating projects that don’t end.
Unfortunately, complexity has a driver, and that is called the Deadline. Impose deadlines that don’t match the work to be done, and often the end result is a chaotic, complex mess…
I mentioned last year, and in various other posts about proving your cyber state. In that post, I mentioned safety, but I really meant security. Are you secure? Prove it. Richard Bejtlich echoes (or restates, since I’m not sure where I first heard this idea) that this is a key tenant of where we should be with our own cyber security. In fact, I will go so far as to say this question is as important as cogito ergo sum is to philosophy (it’s the basis of it, a foundational statement). It is more than a marketing ploy or illustrative approach; it is a basis for our entire industry and philosophy on security, business, IT.
Please read Richard’s post. In recent months he has been throwing various ideas around, and you can almost see the screws turning, popping this extremely formative and important post out. He builds up to what he defines as security, or rather, acceptable security.
My bank recently changed its name, and along with it some of its business decisions. Most likely a buy-out of some sort, but I really couldn’t care less about stuff like that.
Tonight I got one of those little envelopes that you tear off three sides for. Usually these are pretty important, so I always open them before Bills Time. Whoa…a PIN? For me? Ok, last 4 digits of this card…nope, not my ATM card. Nope, not my credit card with this bank. Rut roh, raggy. Let’s go back a few days in mail…
Oh, look, an envelope with a new Debit card. Ok, I don’t want a debit card, I want an ATM card. Really, a 4-digit PIN is not a huge security measure if someone looks over your shoulder. I’d rather protect viewing at an ATM machine than in a crowded check-out line somewhere with a clerk watching straight down. I can also scope out any suspicious gear at an ATM. I like my ATM card and have taken active measures to decline debit cards.
I also find another mailing also from a few days ago explaining the change, that my ATM card is being replaced by this Debit/ATM card.
Great, thanks. I guess that choice has been lost to me. 🙂
Basically, our dilemma is not unique, and at least our efforts are measurable in both tangible and non-tangible results. Any time we get down in the dumps about security, it is because we have poor goals and measurements. Are we making a difference? Should we change our name to make it better? Do we expect to eradicate insecurity, information loss, and protect our systems ultimately otherwise we are failures? Do we worry that our jobs stem from other people’s loss or suffering, or do we realize we are helping people deal with the inevitable? Inevitable: human mistakes, bad morals, economic choices [budgets], education to not make poor decisions, etc…these are our combatants, not pain and suffering.
It’s months like these that make me painfully aware of my growing list of personal projects. At work, we’re butting up against some deadlines in what is maybe our biggest project in a long time: migrating our operations from our on-site data center to a DR site in a dedicated facility…by using the facility as our primary site. So basically not just a DR project, but also getting our production environments over there. Not easy or terribly fun…although our intimate knowledge of our environments has never been better. You can see some of my personal stuff to do over on a Security Catalyst thread that Cutaway started. I’m obviously not alone in wanting to retool and practice on the home network! 🙂
Outside the business parking lot where I work there are 4-lane, fairly busy roads. On two of the drives out onto this street are very visible signs prohibiting left turns (i.e. across 3 of the 4 lanes, at a minimum). This is basically a sort of rule. However, there are, every day, people who disobey that sign and make the dangerous, inconsiderate turn left across all lanes, inconveniencing people behind them, drivers on the roads, and setting themselves up for an accident that likely will be billed directly as their fault considering the disregard. Likewise, almost everyone “obeys” speed limit laws by only going, at most, 10mph over the speed limit.
And we expect these same people to obey corporate IT policies? I guess my point is that user education helps those who care, but will do nothing to improve the security practiced by those people who are poor risk evaluators or just plain don’t care. They will take the shortcuts or bend the rules as they see fit. This is why I fall more on the side of technological controls than on user education when it comes to a solid security plan. I want both, but I can never truly rely on all the people…
I know, I’m beating a dead horse, but it’s an example I wanted off my chest and written down in my little journal here. Move along, these are not the droids you are looking for…
Have you seen recent HP promitions about how the computer is personal again? Well, check it out. We received a box from HP today with that same font on the side, which a few of us recognize from the movie and book, Lemony Snicket’s A Series of Unfortunate Events. We found it very humorous that a computer box would want to be associated with a series of unfortunate events, and it made for a very laughter-inducing morning!
Deborah Hale reported over at the ISC Handler’s Diary about taking part in a SANS conference which culminated in a red team/blue team event between teams of attendees and helpers. I really think continued exercises like this are some of the most valuable things we can do in security.
I wish my cube could look like these in the LinkedIn offices. Wow! Now, that is what work really should be like. Although some of the cubes look a little *too* themed and over-the-top, at least they are having fun and seem to encourage employees to be expressive. I really think that can only be a good thing. In my current job, the company has very strict rules about cubes (nothing above the sides, nothing hung outside the small tack boards, no white boards, no plants, no fish, tidy, no real decor…blah blah blah…basically a sterile hospital room), which makes for a very non-homey feel. Meh.
I dig the half-completed ceiling. It adds some depth, prevents the sterile-stifling-ceiling effect, makes things interesting, and likely gives it more air as well. Kinda combining the best effects of a factory facility with an office one. There’s a Superman in the pics that is a little too hung for comfort. Still, it would be fun to come to work in an environment like this. Many people, especially us techies, really do like our professions when given the chance; work is not work for us like it might seem for more blue-collar type jobs or more menial labor. It really is a boon when the company completes that happiness circle by letting employees be happy employees.
I’m surprised I didn’t see any cubes decorated with a variety of logic puzzles, plush toys, and various other little trinkets to play with from ThinkGeek. Geek out while stoking the fires of creativity… I’m also surprised more weren’t covered like the camp-themed one. I think it would be a bit popular to shut out the flourescent lighting and opt for something more cozy in a covered setting. I would take softer, less direct lighting any day over typical sterile office ceiling flourescents. More beanbags in corners for ad-hoc meetings, more comfy chairs for collaboration visits… 🙂
The IIA has a series of audit related guides available. I very briefly skimmed a couple of them to check out the content, and they look really informative. They seem to be about 50 pages long, which is right about my personal limits to what I print at work for personal pleasure. Therefore, logging the links for my own use.
1 Information Technology Controls
2 Change and Patch Management
3 Continuous Auditing
4 Management of IT Auditing
5 Managing and Auditing Privacy Risks
6 Managing and Auditing IT Vulnerabilities
7 Information Technology Outsourcing
8 Auditing Application Controls
Saw this from the Security4All blog. (Ok, fine, I printed guides 2 and 6…)
Cutaway posits, “Why is it that we have not seen college, high school, or any other school close their doors because of security breaches or just plain being totally owned?”
I’m not going to answer that, but I will say that this is my new ode to ousted CISO/CIOs who lose their positions due to a stupid security breach:
laugh and the world laughs with you,
weep and you weep alone,
for the sad old company must keep hold it’s money
but still has security troubles on its own
This is adapted from a wonderful poem by Ella Wheeler Wilcox called
For some time now, the ISC has been my first check for information on Microsoft patches from Patch Tuesday. I then follow links to the disclosures on Microsoft’s site and the CVEs for more details.
I see BreakingPoint has gone further and released a slew of indepth looks at the patches and the vulnerabilities those patches, err, patch. I think this is awesome, and fits what is kind of the last piece to getting all the info about Patch Tuesday: overview, official statements, technical analysis. I hope they do this every month.
I think every time I call one of my credit card customer service centers, I have the same befuddled response, probably because I only call once every 6 months, if that. “Can I have your password for this account?” Me: “…huh, what? I didn’t know there was a password..” Rep: “It is probably your mother’s maiden name.” Me: “…oh…ok well let’s try this.” And of course it works…it’s just so odd being asked a password on the phone…
I really don’t like having a gap between my use of an IDS/IPS and knowledge of the signatures. Today a new alert came across proclaiming “NETBIOS-SS: Bugbear Virus Worm.” I’m not sure what a “virus worm” is, but it certainly is something to look at right away. Turns out it was a false positive, but I really wish I could see what my vendor’s signatures actually are, rather than seeing the interpretation of them in the management console (which are almost always inconclusive and vague). Oh, since I’m complaining about the IDS/IPS, I’ll echo my old complaint that I really dislike capturing only one packet per alert, even though I have it set to log the stream…one packet certainly gives me a lot of context!
Annoying vendor salespeople #84: Insist on digital communication via email only. Actively reject any attempts at face-to-face or voice-to-voice communication. I think sales people have a handbook that says sales are guaranteed with face-to-face meetings and 80% guaranteed with voice-to-voice meetings. It’s almost like seeing a squirrel stuck inside a gallon milk jug.
What if we start convincing companies to roll out “secure by default” devices and software? Will we dumb down our workforce too much, with people who know how to roll something out but not know how to manage anything? IIS is easy to build now, but takes work to really understand it. Apache still scares IIS users because you need to make config changes early on… Just a thought, although I do believe “secure by default” should be the goal.
I was adjusting a script of mine the other day to account for the event of a configuration error in some file replication apps we run. A config error led to an issue with script execution, so I coded around it before I found the config error. This is effectively a little bit of “defense in depth” although this has nothing to do with security. But what if a config error occurs again? Because I’ve layered my script over the config, it might mask the problem with the config. Can defense in depth mask holes in the various layers because testing isn’t done on each piece? Possibly…
This morning I attended a workshop hosted by Michael Sutton of SPI Dynamics. Michael is the Security Evangelist (kinda like a mix between a trainer and a sales engineer, I think…does that not sound like a cushy role?) for SPI Dynamics, and he talked about hacking web applications. I just need to mention that the blogs and labs on the SPI Dynamics site are both nice resources. The talk had about 35-40 people in attendence, about 1/3 QA, 1/3 developers, and 1/3 security people, with a couple managers and a couple of us sysadmins in attendence.
Michael opened up by talking about why web application security is important now, and then delved into describing and demoing 4 different attacks against web apps: XSS, SQL Injection, CSRF, and Ajax attacks. While this isn’t new to me, personally, I don’t think I’ve seen live demos of these attacks before, so that was a step up for me (come on, we don’t get this kind of thing in Iowa every month!). He talked about reflected and persistent XSS issues, with a demonstration of persistent XSS. Then both verbose and blind SQL injections. After a break we saw CSRF and Ajax demonstrations.
I do want to mention the tools used or mentioned. Oh wait, gosh, almost everying is done using just a browser. Of course, this means almost anyone can start picking this up and learning how to find these holes (increased risk!). Michael did mention Absinthe as a blind SQL injection automater, Live HTTP Headers (firefox addon), FireBug (firefox addon), and SPI Proxy (part of the commercial product WebInspect). The latter was used to intercept and change browser-server requests in Ajax pages– very cool!.
He then closed out with brief looks at SPI commercial tools WebInspect and DevInspect, which really both look nice for dev and security teams to automate and standardize their testing. My only brief nitpick on the presentation was the use of AJAX as an acronym in the slides, but he did mention that it is no longer really intended as an acronym anymore, and has been used to simply describe new web behaviors. Kudos for hating on “Web 2.0” as a term, since I hate it as well.
Nitpick aside, the workshop was well done, a decent way to spend a morning away from work, and provided good information. I’d recommend it for anyone who is already not a web application security guru and knows those above attacks and tools inside and out. And no, it had no marketing spiel or slant to it.
This is a 3-part account of my experience on the red team for the ISU CyberDefense Competition. Part 1, Part 2, Part 3
This section is just to document some of my feelings on organizing a red team. Overall, I don’t know if there are wrong ways to organize a team, but here is just some ideas and thoughts.
1. Do a brief round of introductions and specialties and background; newbies are welcomed to say they’re newbies. This gets everyone’s name out there, breaks the ice for the shy ones, and helps everyone know who to ask for specific expertise. This can also let everyone know who the person in charge is, i.e. whom you ask for direction or information if needed, such as where to set up and how to connect. This person will need to repeat much of this for any latecomers.
2. Assign people tasks, rather than targets. App specialists tend to skip obvious network holes and can get distracted by app holes in various teams. It is best to keep people doing what they’d rather be doing, and giving all teams a more equalized enemy. Newbies can get pretty good with scanning as they go, but a newbie assigned a team may give that team far less successful attacks with which to evaluate their defenses.
3. Make root the goal. Sure, DoS and service interruptions from a Nessus scan, and web defacements are fun, but really make root and total ownage the end goal. Create persistent backdoors and get inside. Even a team that thinks it was up most of the event may have been completely owned and leaking valuable information to outsiders.
4. I would consider DoS a valid attack in a competition where uptime is a scoring criteria, but only insofar as configuration errors make the DoS attacks possible. In other words, preventable from a practical standpoint. Nonetheless, DoS shouldn’t be used constantly, and only to illustrate the vulnerability and drive home the point with some downtime and points loss. After the point is made, ease up and let the teams and attackers get more out of the experience. (Imagine your team is being DoSed and you don’t really know how to fix it…and it lasts the whole competition…that sucks pretty hard for just not knowing maybe the one config change to fix it.)
5. Don’t overlook the obvious deficiencies. They may not lead to root, but noting things like a lack of SSL on logins or an MS Exchange server hanging out in the winds of the public net can be important notes to make when evaluating team performances. They’d be dings on professional evaluations, so may as well ding them here as well.