To circle back around to an earlier link to a packetlife challenge/contest notice, the answers are now up. What did I learn? Well, I didn’t know Wireshark could decode SNMPv3 data if I had the proper info. In fact, I couldn’t even do it with my installed version of Wireshark. I had to update to get the features. Cool challenge. Simple, but not necessarily elementary.
Articles like this one on the IRS in NetworkWorld (channeling a GAO report) often leave me shaking my head in disgust. And no, it’s not because the IRS has security issues (we all do!).
“The GAO said the IRS had mitigated 49 of the 115 information security weaknesses that the GAO reported in early 2008.”
Fine, I agree we need to keep nipping at the heels of the people who should be securing digital assets.
But I disagree with the general tone of this article that implies three unhealthy things to me:
1. “Let’s hire contractors to knock away these final 49 items, and that will be when we release them.” – I don’t like this because it implies what much of business thinks: Put in the time, and then it’s done, game over, let the contractors all go. Yes, some things in security require time and then you’re done for that technology cycle, but too much has to be ongoing. It is dangerous to put too much emphasis on a milestone like this. People and oversight and maintenance are probably more important than the initial implementation. There’s really less breathing easy after you check those last 49 things.
2. “Man, just do those final 49 things. All it takes is to just flip that switch and turn those things on.” – Security often takes time, especially in a large, critical entity that likely cannot absorb long downtimes or huge sweeping changes. Even in small companies, relatively “simple” things like permissions can result in dramatic business changes. They may be necessary, but they are not often quick.
3. “There are only 49 weaknesses left, and then we don’t have to worry anymore.” – This gets back to point 1, but is a slightly subtle difference. Rather than saying the checkmarks are a milestone, but rather assuming the checkmarks are all you ever need to do.
The article may mean well, but I find it implies a dangerous, unhealthy tone and attitude. It really is not just the article, but all checklist-driven security eventually reaches that tone when overemphasized.
I’m finally getting around to reading the NetworkWorld article that cited Fortify Software Inc. co-founder Brian Chess as essentially saying that penetration testing as we know it today is dying/dead. The article further states, “Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.”
Talk about confusing!
I think the assertion is correct that customers want preventative tools. I want preventative tools wherever possible. But I think there are three incorrect assumptions here. First, that preventative tools can possibly prevent or even anticipate every potential hole (or even most of them!). Second, that preventative tools are something more than just a band-aid on other issues. Third, that companies know all their weaknesses already.
The article (and Mr. Chess) make it sound like the security buck stops at “preventative tools.”
There is value in preventing issues, but there is no way penetration testing is going away or even beginning to die or dwindle for many years. Too many corporations still thirst for knowledge on their security stances and weaknesses, or for more leverage to higher-ups for budgets or project direction.
Prevention, detection, testing…these and more are all parts of a solid security posture. No one trumps the others, nor does one lag behind as dying or even changing.
Here are a couple statements on my view of pen-testing.
If you have little existing security, pen-testing helps give direction and information on where to make improvements.
If you have a security plan in place, pen-testing helps give third-party validation to the results, while also potentially exposing weaknesses that were overlooked (the more eyes that read this post, the more we can say all the typos were caught!).
Linkage to The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (pdf). I clicked through thinking, “Wow, 25, did you leave enough out to make a ‘Bottom 25’?” But as I skimmed through it, it seemed like a pretty logical listing and a decent read as well. If I had a suggestion, it would be to dump the cute analogies in the Discussion sections of each entry and replace it with a technical example or two.
And include, “economics” and “shortcuts” and “cheap coders” as dangerous errors too. 🙂
A couple points I want to throw out for a Monday:
1. Security takes knowledge.
2. Security takes time.
3. Insecurity arises when shortcuts are taken. (Yes, you fall into this area, web developers!)
4. It is no surprise security permissions (in general) are lax, because they suck to manage.
5. We all started in a place where we didn’t have expert knowledge.
6. Don’t overinflate your abilities. This is where ‘paper CISSPs’ harm our field, not because they aren’t experts yet, but because they profess to know more than they do.
In recent weeks, Snosoft’s (Adriel Desautels) blog has delved into the topic of fraudulent security experts and how corporations can tell if they have a quality security expert (or vendor). I applaud the effort, even if he is preaching to the choir and may be tackling issues that are universal and have no absolute “oh-my-god-epiphany-that-will-change-the-world” answers. Those posts and a headache-inducing security permissions issue I tackled today prompted this post.
I had a longer essay presenting those 5 topics above, but I think I’ll just let them sit alone. Anyone reading my blog can either outright agree, or think for themselves on how those points apply. Just one hint: “knowledge” can refer to both technical as well as business knowledge.
When posting a quick series on a blog, which number do you start with? Do you use “1” for anyone who gets updates and reads them immediately, or reads them from oldest to newest? Do you start with the last one, so it reads properly in a reader or on the blog itself? Do you make it all one post, which diminishes the stand-alone value of all points? (Kinda like mashing 4 ideas into one paragraph, the first and maybe last get special value and the rest are mushy potatoes in the middle.) Ultimately, blogs fail…but hey, we all have things to say, even if no one is listening.
What is it about the Internet that has most changed our lives and society? Well, I would surmise that it is our ability to self-serve information-finding. In 1990, what did we depend upon for information? Today, I can self-serve by looking it up.
What is the next “Web?” Well, probably immersive virtual environments, even though it seems a bit counter-intuitive on some levels. For instance, Sony’s Home will be interesting to watch develop. On some levels virtuali environments work, like online training experiences or meetings. On some levels I imagine it doesn’t work, go to an arcade in Home just to play a game…why the extra lobby/step?
For future reference, SourceMap: “SourceMap is designed to scan to a port from multiple different source ports, to aid in finding weaknesses in firewall rule sets. It is possible to scan ports on a host from all 65535 source ports, somthing that nmap could not do. SourceMap is a mutil threaded perl wrapper arround nmap.”
Blog post from Abe Getchell to create a covert channel over SMTP by using the X-Spam-Report (and related) email header to enbed a message in what otherwise can look like spam messages. Adding value beyond just the issue itself, Abe drops a Snort rule to detect his example at the end of the post.
PacketLife.net has a January contest posted. From the packet capture given, determine the IOS version of one of the systems.
Well played indeed. In my posts discussing the recent MD5 hack that led to a rogue CA, I neglected to give the utmust credit to the researchers involved. These guys did an amazing job to not only recognize and develop the attack, but to actually execute it, dodge the legal questions, and present their findings at CCC.
And you gotta wonder what it would feel like to have in your hands a rogue CA that can break the trust people have in the web. That definitely has to be an awesome feeling, and I think we all owe the guys a weekend a beer!
I invariably seem to hear about the hacker challenge stories on the EthicalHacker site only after the deadlines have passed. I’m not sure if I’m the one who is behind or if it has anything to do with the headache-inducing site they have which looks like a freakish juxtaposition of a forum with news script software from 1998 (yet powered by Joomla!). Great books! Messy site!
At any rate, their latest challenge is up and hopefully the chosen answer sometime soon!
Lee Hinman has a post on writequit.org about “De-gooling” himself, i.e. using tools other than those provided by Google. I commend this effort! Ever since Google went public I’ve trusted them far less (much like Yahoo) but have to grudgingly admit their tools are speedy and good for what I need. Unlike Lee, I’m not so open to accepting that Google has stuck to their “Do no evil” mission, but what can you expect when you suddenly have so many stakeholders holding your feet to the fire of profit? I completely share Lee’s concerns over privacy with the Google-machine.
I’ve never heard of Scroogle as a search tool. I’m sold!
Note to self: Open a new account someday just as an RSS feed reader. Bonus points if I find a way to permanently proxy to it.
Read the rest of Lee’s article for more ideas on replacing some Google tools.
I’ve long enjoyed my 2 year-old Wi-Spy. I see they will soon be coming out with a Wi-Spy DBx “soon” for $799. If you sign up, I guess you get a coupon for $200 off when it is released.
Sadly, the price point moves this out of the “geek gadgets” realm and into an area meant for people who professionally test, monitor, or manage wireless networks. I actually do not manage a wireless nework at my current job, so this gadget would really just be a for-fun deal. Even with the coupon, $500 is too high for a toy for me. But I wanted to mention it to remind me it is there, and give someone else the idea if they could use it and afford it.