scalable desktop security scanning

Jeremiah Grossman has an interesting post that covers 2 neat topics: scalable scanning and WhiteHat’s hardware setup. Cool stuff on the second part. For the first part, I think watching topics like scalable security and scanning would be important for those who think all this IT and more importantly security emphasis these days will lead to further outsourcing of said roles to specialist groups. I’m not an executive or into accounting, but I am not oblivious to the idea that IT/tech/security is not a core competency in most organizations, and instead is a cost center (i.e. not a competitive advantage either). (Yeah, I like dropping terms I actually learned in school now and then…)

Then again, maybe a specific case like Jeremiah’s is a bit strange. I mean, look at how much their hardware (storage) requirements have to increase, and no doubt they need tools and/or people to make sense of the reports, as their scan targets increase. Perhaps desktop scanning software scalability is not the real battleground, but rather how do you do web security scanning quickly and meaningfully (as a sort of macroscopic/meta vantage point)? While admittedly conceding that you can only get x% of the scanning done via automated means.

It (obviously) crossed my mind that another group who may have the use-case for large-scale scans could be attackers. But that may be a bit of a red herring. Do they need to do such huge scans to be successful? No. Even if they did, as demonstrated by Jeremiah, you’d need some serious infrastructure (provided by botnets no doubt) to power the whole thing. The more of that you need, it seems to me the more said attacker would be exposed. Attackers are still far too successful with smaller-scale, smaller-footprint attacks that can be surgically wielded from pinpoint locations that are not hard to expend. Even assuming the worst, I’d doubt attackers would ever need to move above desktop-grade scanners anyway.

Just thoughts!

symantec hack is whack is a case study

Yeah, we’ve all heard more than we need to about Symantec’s Hack is Whack campaign and the security holes found in the newborn site.

This is what I call a decently Big Deal; a sort of case study in how even a security giant is dropping a site out onto the internet that is full of holes. Certainly Symantec has security experts enough to review their code and make suggestions, or code it up properly from the start. Or at least have some oversight to slow down the process and make sure marketing has their details buttoned up, right? (I’m quite aware that marketing no doubt implemented and ran with this completely on their own, likely through a third party or even fourth party, but my point will remain…)

This really provides a horrible, sobering example of the state of things right now, especially in how important security truly is to organizations. Far too many do whatever they want, until someone pokes the soft spots and points them out. The more public or damaging, the more likely a quick response is forthcoming. And this from a security company!

I’m not going to go so far as to say this is a call to arms for security to be at the forefront of marketing in Symantec or even any organization. That’s a dreamy ideal, but not one I’m thinking is realistic at this point. No one likes security dragging the timelines out and making things complicated!

It should instead be more of a call to arms for executives to care about this sort of thing, which in turn can start permeating that cultural change in everyone else. It just doesn’t work to be 100% reactive. That is still what I call the Big Gamble in organizational security. Roll it out there and hope no one ever cares too much and finds big holes. That or the attitude that you can’t secure it yourself, so roll it out there and let others provide your QA and security testing for you. I agree you can do those approaches, but they can’t be your only approach. You’ll either continue to be laughed at, or you’ll get pwned and not know it.

I may still be a bit idealistic in my viewpoint. In larger corps, they’re just too big to play catch-up on everything that is going on. In smaller corps, they just want to survive and can’t afford to go slow or imbed security in something that may not even exist in 6 months if it fails.

incomplete thoughts: dreamy aspects of a solid security posture

This is another incomplete, but interesting post. Not sure why I started writing this , but I always like the dreamy feel of “best case scenario” types of descriptions. Like what is your dream job? What is your dream vacation? In this case, what is your dream security team posture? I’ve added a thought below in bold. I probably never released this since I likely have said these same items in other blog posts, comments on other blogs, over twitter, and in personal discussions, so it sounds a bit like a broken record to myself.

Simple steps to a strong security posture:

– Staff. Don’t skimp on quality security staff. The anchor of any security team is the skill, talent, and enthusiasm of the top players. It is ok to have some lesser-skilled players or interns. They help provide perspective, an ability to allow senior staff to mentor, be mentored, and possibly do the things that you’d hate to have a $100k staffer do every day like cruise logs or something. In addition, be liberal with their training opportunities, both on and off the books.

– Operate the team as an advisory unit, a monitoring unit, and an active penetration team. Basically, don’t just watch for breaches or react to things already done. Be an internal consultation team for developers, sysadmins, or others who would like or need more guidance on security issues. The team should also be able to and allowed to do planned and unplanned security audits and penetration tests against company assets. It’s not just about implementing, tuning, and addressing trouble tickets about a host-based firewall on desktop systems, or auditing the systems through a central mgmt interface to ensure exceptions aren’t being granted by non-security-minded desktop staff. It’s about helping the business as a whole.

– Be given autonomy and authority in the company to make recommendations, on par with a high-level consultancy. If a security team expects an application to be built securely and offers proper assistance and knowledge to the app team, they should expect to have their concerns addressed reasonably, rather than what often turns into a mgmt political battle or simply ignored demands. It needs oversight over the company assets and IT, really.

– The team should be given some level of operational power or control, especially over their own systems and test systems/networks. Security staff isn’t just about installing endpoint software or watching logs or even consulting or pen-testing internally. They should be able to test and implement changes as needed without having to walk someone else through it or wait (politically and timely) for a real engineer to attend to their ticket. It is my opinion that quality security staff would also make quality operations staff (or quality management in general if that is their focus)…so give them that latitude. (They should also be held as accountable with availability mistakes as operations, when acting in that space.) Of course, this butts up against the problem of having too many hands in the cookie jar, for instance 6 people having access to update firewall rules. That’s 5 extra ways of doing it that don’t match your own philosophy!

incomplete thoughts: 5 of my security pet peeves

This is my getting rid of some incomplete thoughts sitting around in my unpublished bucket. This post could be 3 years old or it could be 3 weeks old, I’m not sure. Peeve #4 is a bit of a reality, and I’m not sure I would today include that in here if I rewrote this today. The ending example goes nowhere, and #5 isn’t finished. Either way, just getting this off my chest and published.

5 of my IT security pet peeves. Notice that these are not necessarily technical issues. I don’t feel like our biggest challenges are technical in nature. And while I might call these pet peeves, they don’t necessarily frustrate me nearly as much as most of my driving pet peeves.

1. No Big Box Tool beats a good admin, but we’re obsessed with the Big Box Tools. I’m not a big fan of all-in-one-boxes or UTM or centralized SOC-in-a-BOX. On one hand, I really like the power that tools have been getting in terms of analyzing and collecting data in one place. Sadly, I don’t think any single box performs better than other smaller tools being used wisely by a crafty admin to achieve the same goals. There is a certain watering down (each piece is lower quality compared to specialized tools) and dumbing down (take the analyst away from the guts long enough and he’ll only know how to work the GUI and not dig deeper manually) and feature-bloat (try to pack every option that 10,000 companies will use but no company uses half of them at once) to big boxes that simply cost in terms of quality. The real key here is whether you have a crafty admin with the time necessary to wisely wield those surgical tools. Instead, we too often take the quality hit to save some money…

2. Not enough time. In our American culture, we have this obsession with milking productivity from our workers. We demonize leisure time, personal time, even vacations; maybe not openly, but we insinuate that anything less than 100% is bad. This trickles down into IT staff who have little free time to improve their situation beyond rushing from one fire to the next, or one project to the next. You know you’re in this situation if you’re doing task A, notice that issue X is occuring just because you happen to see it, but know you won’t ever get to it and so just leave it. Security cannot be improved when time is booked. Either you don’t have the time to properly tune tools, investigate alerts (we’ve all had days where 1 alert takes 1 hour and days where 1000 alerts takes 5 minutes), do simple audits to verify security, or keep on top of current news. Let alone the mistakes that will be made due to the pressured time-boxing… You want to improve security? Improve the time your staff has to find and make enhancements. Anything else just means everyone relies on the audits and only does what is prescribed at the time. (This also means your staff needs to be enthused about security, and not just use their extra time to surf YouTube. If you don’t have enthused staff, then replace this item with : People who don’t hire enthused staff!)

3. Too many people still believe ignorance (or ignoring it) is an effective security strategy. I’m borrowing this straight from the article I just posted about earlier, because I think it is an epidemic (pandemic) problem. That noise coming from your engine? Yeah, it’ll go away, right? It wouldn’t happen to us! I think ignorance and human habits of ignoring problems is a real issue. I understand that some risks are accepted and not every problem absolutely needs resources pushed at it to solve it, but collectively we’re sucking with even the basics of digital security. (I think most organizations scope-limit their auditors from half the stuff that is wrong.)

4. Convenience trumps security, or, security is never as easy as it sounds. There are a few tasks that sound easy but illustrate exactly how time-consuming really managing security is: data classification company-wide, account oversight and review, file server permissions audits, knowing exactly what data is where (yay laptops!), log reviews, and change management. Convenience trumping security is a more appropriate way of saying functionality over security.

5. We want security now, for free, and to last for years without further inputs. How many PCI projects have we collectively seen that have deadlines? And after that deadline, PCI (or security) is considered done and the consultants/contractors let go). That’s a win for sure!

Just to juxtapose a few items from above, here is one scenario. You have a not-very-technically-proficient security admin in your company. He’s not given the most access, probably not enough to do this job effectively. He doesn’t have the ability to implement proper NSM without the techs making his requests bottom-of-the-barrel priority. In fact, he doesn’t have much more than the ability to get an All-In-One-Security-Box. Likewise, said security box doesn’t give him much data for an alert. Oh, and by the way, he’s an important admin who talks with execs every few weeks with some certs under his belt, so he feels he gets paid more than someone who does the grunge work like reviewing logs, accounts, or testing those firewall changes. So no one really checks that stuff. When audited, the admin knows just enough to give the auditor enough for a report, keep him away from the things he knows suck, but not enough to allow the auditor to expose underlying issues.

incomplete: a better representation of risk and compliance

I really don’t know where the fuck this post came from or where I was going with it. It offers nothing, but the picture links are fun! Took me a bit on the wildebeest one to realize I was trying to say “just another beest in the herd” with the “middle” pic. To my sensitive readers (really, there are sensitive security geeks?), skip the seal pic.

1. Too many words in PowerPoint presentations are bad. More creativity, more pictures, more visualization. Less words, less boring.

2. We also have this need to give quick representations of our risk or compliancy to management, often in the form of scores or grades.

I think these ideas should be combined “mashed up.” Screw the grading scale of A, B, C, and the levels like high, medium, low.

Imagine: You walk into the board room with several managers and execs. They get around to asking you how the company looks as far as compliance to PCI and/or your desired security level. You stand, flip open your notebook, and pull out a card the displays this picture:

seal clubbing

I don’t have to give details, I think it speaks for itself: STATUS BAD!

Here are some more examples of compliance status levels.


incomplete: shmoocon podcaster’s meetup interesting topics

I wrote this months ago but I guess I forgot to publish it. Maybe I wanted to proof it more? Who knows, but here it is. Any non-bullet points that are bolded were added by me just now.

The mess that was the 2010 Shmoocon podcaster’s meet-up audio is available. I totally could use not hearing Paul “shhh” on a mic ever again! The talking was pretty crazy and all over the place, even disrespectful (hey beer was involved so it’s forgivable), but I feel like they did touch on some extremely important questions. Questions I’d love to hear them discuss again in a more refined situation (arguably, a podcaster’s meetup is more party than panel, however!)

There are no correct answers to these topics! That is probably why opinions in these discussions can be very passionate and even violent! Sometimes in certain properly bounded contexts, there are correct answers, but mostly not.

(Late update: Personally, the more I listen to Chris Nickerson, the more I appreciate his frank opinions and where he has his head. It’s in the right place, and while I know he can have an acerbic sense of humor to some people, he’s increasingly one of those voices worth listening to if he tells you something.)

1. exploit vs not exploit – I’m not sure this topic was given its fair due, but I’m not sure everyone was on the same page in the discussion anyway. Andy Willingham gave this the once-over already in a blog post. The topic brings up good questions on what you do on a test and what is actually meaningful. I notice I didn’t really weigh in on this topic, and honestly the view from the fence is fine for me and probably reflects both my security and operations sides.

2. SMB vs large enterprise – There is a big gap that is hopefully becoming less the elephant in the corner and more one of the usual voices in the conversation. The world of the SMB in security is dramatically different from that of an enterprise or a city-state-nation. Approaches that work for large enterprises can be ridiculous for SMBs, and vice-versa. I think it matters that this came up multiple times. This still needs to come up, and the topic deserves a month of posts in itself.

3. properly presenting findings/recommends to a business – I’m finding it hard to word this topic, but it really runs the gamut of how you present security to an organization. And this digs at a very sensitive topic: security aligning to the business. I sympathize with all sides to this discussion. You could give the security teams and CSO their highly technical reports and let them distill it down to what is relevent. Or you could align yourself with the business and report your findings directly to someone like the CEO, in the CEO’s terms. Honestly, maybe pen-test teams need to have both capabilities and have that project manager/lead who is the one that acts as a temporary CSO in the absence of one. This is a great topic, by the way, and I think really demonstrates the art and the versatility today’s security experts need to have; both the technical chops and the strategic chops and the ability to know when to use each.

4. “good enough security” – I think it was Mick from Pauldotcom that brought this up, and it didn’t get enough treatment, although I think this is also just as passionately divisive a topic as any. When you accept that there is no ultimately “secure” state, or there is no “win” in security, then you really do subscribe to some form of “good enough security.” Where that proper line is drawn is really the art of risk management, and that line is probably far lower for SMBs than large enterprises. Security pros these days have to be able to get into the mode where it’s not just about violently defending every little insecurity, but about recognizing each issue as part of the whole. Bad password policy? Fix it!! Outdated SSLv2 cipher on an internal app that is 5 years old used by one team? Consider letting it slide. (Side note: This is where lack of real security chops can bite many people in the ass. It is inevitable that non-tech people will look at issues presented and demand fixes for each one, even the “low” priotity ones. This creates wasted effort and inefficiency…and so on.)

5. privacy differences between europe and the us – I thought this was an excellent question by Nickerson to spark some conversation on a topic I hadn’t really dwelled on before. Because Europe has a different emphasis on privacy for people, they have an entirely different mindset in regards to security in organizations. Not saying it’s all good, but the difference can be useful.

6. listening to internal security experts vs paying someone outside the company to say the same damn thing – Good point on this topic, and I think every penetration tester or consultant or third party needs to not just work to align with the business and talk in a way the CxO understands, but also empower and support those internal persons who make security happen. Recognize and empower (and not undermine!) the talented security folks out there. Build networks, exchange advice, encourage; don’t have an antagonistic relationship with them, plop down some mysterious report on a CxO’s desk, then walk away briskly. Try to change the way the CxO views her internal support staff so that we can Get Shit Done. But yes, it really, really sucks when a CxO pays top dollar to get a report that says the exact same thing I may have been saying for years.

If there’s any topic I’d love to have brought up because it fits with this motley crew of passionate voices, I’d have asked opinions on MSSPs vs internal staff, both for large enterprises but also SMBs.

incomplete: fundamental cultural changes caused by the internet

I’m sure there are plenty, PLENTY, of other essays by far smarter people than me in this topic, so rather than let this languish in the “polish this up” bucket, I’ll throw it out as is because I know I’ll never truly ever finish this. Still, this actually reads fairly decently for a 30-minute stream-of-consciousness bit. Oh, and I know it’s not ten!

Ten Ways Internet/Computers have changed our culture deeply.

– I barely know what a phone book is anymore, if I want to find a location or phone number for a business or category of business that I need to visit, I’ll search for it on the web. This is a culmination of easy, extensive searching and ubiquitous web presence. Phone book? Ok, I’ve used it to find a mechanic on a Sunday…

– Dispelling irrational answers to questions – Back when I was a kid, you had four places to gleen information, in general: media, teachers, parents, public library. Media would have included newspapers, magazines, radio, and television. All of these meant effort and a certain expectation of trust. The web still requires trust, but I can much more quickly find corraborating stories and information and weed out the misinformation. While the web may not give accurate information all the time, it at least gives me a better chance of self-serving accurate information.

– I’m more in control of my time. While the Internet seems to suck time away with an infinite number of things to do and see, it does let me bring back time control into my life. Rather than wait for 30 minutes in the evening news to see the sports scores or tomorrow’s weather, I can get it immediately online. I can skip the things I don’t care about, and read more of what I do care about. I can shop and order products online, research and compare.

– I’m more in control of my tastes and interests. In my youth, I was only exposed to whatever was near at hand, for the most part. Musically, I only experienced what was available on the radio, television, or through friends, all of which precluded most anything that was not pop-oriented. With such portable media and access to anything I want, I can expand my boundaries and listen to musical media that I never, ever will hear on the radio in the central United States. As a kid, if I wanted to figure out the solutions to a particular video game, I had to wait for it to be released in book form, in a magazine, or advice from friends in my neighborhood. My neighborhood for interests is now limitless, and I don’t have to leave a game unsolved.

– My social network has grown. As a child, I had a finite number of people I knew and could spend time with, all of which had to be in close proximity to me, unless I picked up a pen pal. Today, I can get first hand information about life in China through knowing people either in chats or other social networks, or through their blogs and stories.

– My idea of a job has dramatically changed. I can’t actually imagine what I would do for work without the computerization revolution. I have not experience office work without automation or computers or digital information. I’m not that removed from such an archaic workplace, but it certainly seems a world away.

– I am a much more informed and well-supplied consumer. Rather than rely on a magazine, friends, or in-store help, I can self-serve online research on what products are good and which ones to avoid. Hell, I can also buy things online without getting up off my ass, either from storefronts or auction sites. In fact, not only can I research online, but if I want specific item ABCD, I don’t have to hunt my city for it and maybe walk away empty-handed. I pretty much *will* find it online, somewhere.

incomplete: leveling up your security career wow-style

This is an incomplete thought I first jotted down a while back, but never fleshed out into some more coherent. I liked the thought though, and wanted to just release as is and get it off my “unpublished” list! I was reminded of this post by Rothman’s recent Securosis blurb about practice (way at the bottom). Thoughts added just now are in bold. Keep in mind this is incomplete, unedited, and unpolished. I ramble and mix things and even repeat things with wild abandon! Oh, and even now as I play some Starcraft 2 and get my ass repeatedly stomped in Platinum 1v1, I know that I can read and practice against the AI and read some more, but nothing will replace actual experience in going into another game and getting stomped and learning the hard way.

I’ve not made it a secret that I’ve been an avid World of Warcraft (WoW) gamer for years. I definitely don’t play as obsessively as I used to (for those in the know, I ‘hardcore’ raided MC, BWL, AQ40, and even some of Naxx40, then skipped ahead after a break to ‘softcore’ raid Hyjal and BT pre-nerfs; since then I’ve done a couple naxx25 clears and that’s it beyond 5m heroics and casual leveling), but even my casual playing sparks some interesting thoughts now and then, especially when it comes to “leveling up.”

In WoW, and really any other RPG game, there are a few key tenets to making the most of your effort. Surprisingly, these tenets can match exactly across to real life endeavors. And every time I put forth some effort to improve one of these tenets in WoW (leveling up a toon, making some gold…), I’m reminded of the opportunity cost of putting that effort into something more tangible like my security career. (Don’t get me wrong; I’m a lifelong video game hobbyist, and I’m not saying video games are useless, but it shouldn’t dominate one’s time, just like any other hobby pursued in leisure time!)

So if you find yourself stuck in an MMORPG gaming rut, start looking to translate that effort over to something useful in security. This may start with asking yourself what it is about gaming that is relaxing, and why security does not bring that same relaxation. If it relaxes, stimulates, and makes you happy, then your free time will be spent in it just as casually as a 4-hour trip into WoW.

1. Knowing your class. From here I was going to go into knowing your skills, strengths, and weaknesses. In WoW, a warrior class doesn’t try to heal, and translate that into security skills and roles…somehow.

2. Grinding (aka leveling up). This is pretty basic to any role-playing game: your character gets stronger the more experience he gets, aka “leveling up.” In gaming, “exerience” is usually a value, even if it is hidden behind the scenes, which accrues as you fight and kill monsters. As your experience increases, you gain more power, and can tackle more powerful monsters, which will gain you experience…and so the hamster wheel begins to turn. A more physical version of this is lifting weights and slowly increasing your limits as your muscles and supporting structure build and grow.

Sometimes this is a “grind.” “Grinding” in WoW means the slow cycle of killing monsters and doing the same ol’ quests to gain your experience; basically it becomes a long, boring grind…kinda like work!

Growth in a security career comes much the same way; the more experience you have, the better you are able to handle the challenges in front of you. Often, this is gained by simply doing security-related things. The more nmap port scans you run, the better you are able to tackle complex scans. The more you use Metasploit to expand your empire, the more you can dig into the lesser-known components of the tool and not get bogged down on strange gotchas. The more PCI audits you do and reports you make, the better and quicker you get with them, and the more value you can provide efficiently to your client.

We often don’t have an end goal in sight, but rather know that we simply want to level up.

3. Leveling up tradeskills. WoW has what are called “tradeskills.” These are skills you build up by doing that activity. For instance, Fishing and Blacksmithing are two tradeskills. You can fish better and do blacksmithing activities better by, well, doing them in the first place. For something like blacksmithing, the higher your skill, the better your opportunity to make really cool and valuable things.

In other words, if you want to be good and useful at something specific, you have to practice it and get better, especially when it comes to various skills you want to acquire. Unlike leveling up, most often this begins with an end goal in mind, for instance, being able to use a particular skill to create/do XYZ which will gain you money or notoriety.

You want to be good at public speaking? You have to do some public speaking. You want to be good at coding exploits? You have to code some exploits. You want to be good at picking locks? Obviously, you have to pick some locks. (Nicely, WoW has a lockpicking skill you can build!)

And just like starting out your skills at a puny level in WoW, you usually start small. You do some low-key public speaking. You walk-through an exploit tutorial. You pick training locks.

So if you want to be known as being good at some tools or aspect of security, you gotta practice it and build up your skill. This isn’t so much a part of your character and confidence like leveling up your character, but more like being good with the tools you have and want.

In WoW, you can leverage these grown “tradeskills” to make in-game money so you can buy cooler gear and weapons. In real life, well, these skills will get your nice REAL things.

3. Gearing up. In WoW, your character’s success relies more on just his level (aka amount of experience earned). Success, especially as you get further into the game, resides very much in the gear and equipment you’ve acquired for your character. You won’t be very successful with a low level sword, but if you find a badass high level sword which you can use, you’ll be nicely ready to do some damage to the next red slime that oozes your way. Gearing up means a few things. First, giving yourself a chance to get/buy/find the gear. Second, knowing what gear is useful to you.

Security careers have the same dilemma. Some tools are going to be useful to you, but some will not.

Strangely, WoW doesn’t have unlimited inventory space for you to keep 1000 pieces of gear. In life, you really don’t have the aptitude and time to likewise hold onto and learn 1000 tools. Figure out what you need to improve, and pursue the tools that will help you succeed in your goals.

WoW players can put a ton of time into picking out, pursuing, and testing out their gear.

Oh, and don’t forget that you can get a bit literal with “gearing up.” A nice pair of slacks and a tie can increase your chances of getting what you need out of management, at times.

4. Socialization. The “MMO” part of the MMORPG genre means “massively multiplayer online,” meaning you’re playing with lots of other actual people around you. You can spend your time in a game like WoW and neven bother with anyone else, but you’ll only be able to learn on your own only so far, and you certainly cannot see most of the end-game content and challenges unless you socialize to some degree. Most often to experience end-game content, you have to join a guild (a group of players, much like a team) and start participating in group runs through tougher dungeons.

Obviously, careers are the same way. You can probably get by on your own for quite some time, but there will be many doors you simply can’t open or even get near without socializing with others in the career. Whether that is simply networking to find new opportunities, gaining contacts you can turn to when you need assistance, or finding smart people from whom you can learn new skills and knowledge. Better yet, this also means socializing with people more “newb” than you are; which gives you a chance to reinforce your own knowledge by regurgitating it to others to help them.

incomplete thoughts: really changing the game?

This is an incomplete post that I never published and don’t see myself truly completing. And rather than keep it in my list of nagging unpublished things, I thought I’d release it to the wild that is the blogs.

First, go read Rocky’s piece over at fudsec on changing the game. Then read Mortman’s response over at Securosis. Those two links started whatever thoughts I had below…I think some are points the authors were making, and others are my own responses…but I don’t recall. Any current thoughts I’ll bold.

This quick, dirty synopsis is for my own benefit to better dissect the point of the article, and also demonstrate what I took away, in chunks.

1. The Information Domain is manmade, and it is a domain where we can change the landscape, not be bound to changing for it.

2. We’re short-sighted, rather than long-sighted. We tackle immediate hurdles rather than perform city-planning.

3. Need to change from short-term fixes to long-term strategy.

4. 3 ways: leadership, research, information sharing.

5.Leadership: No one is jumping to save us. We need to lead the way.

6. “[Businesses] need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk [to the business, not necessarily to an asset].”

7. Too much of what we measure is point-in-time.

8. As infosec pros we have let compliance initiatives drive spending and have ridden along for the ride.

9. We lack the knowledge of the business and how to apply what we do in a meaningful way to the business. I still find this an arguable point. In some cases, the business needs to understand IT (and security) more to better understand business continuity… Nonetheless, this is usually the weakest point in topics like this, not because it is not true, but because it is arguable and situational. Can we always convince business to treat security more aligned with the business or part of the core business line? No. How often are we satisfied that security is good and top notch? Not often, if ever.

10. Vendors fall into the hole of non-innovative solutions that are just meeting our needs, without pushing forward. Vendors ned to be thought-leaders. In turn, vendors need to listen to their customers and deduce their actual needs. Consultants need to listen better. Vendors are in the same boat as internal security experts: trying to sell the idea. It would be far easier to be thought-leaders if security weren’t already perceived as dragging ont he heels of innovation and itself being drug into the boardrooms by breaches/regulations. Huge point about consultants!!! Need to listen better and the industry needs to ditch or teach the charlatans.

11. Get past the “way its been done.”

12. Research. We need to support research. Research should be revolutionary, not evolutionary.

13. Information Sharing. Collaborate with industry competitors.

At this point my notes ended.

thoughts on the 2010 verizon dbir

Over a month ago, the 2010 Verizon DBIR was released. I’m still reading through it, but wanted to point out a low and a high point on the report. The low point (and by low, I’m not saying a horrible point, but rather just the lowest point in an already excellent and needed report!) of the report is including a significant amount of US Secret Service data. While this may prove over the years to be a very good inclusion, for now the USSS data obviously influences the percentages and totals. Of course, Verizon’s data set itself may have influences…so maybe the answer is to get more and more contributors and USSS is just the first.

Now, the USSS dataset influence is addressed many times in the DBIR itself. Which actually brings up the high point: the presentation. I love the way this report is worded, almost conversationally. They are candid with the data, point out conclusions, and even fuzzy places where you should maybe take the resultant data with a grain of salt due to whatever reasons. I totally appreciate that! In past years, I could make some inferences from the data that were not covered in the text, but I feel like this year the authors did a great job of analyzing and conversing about the data. I don’t actually feel like I can or need to infer my own conclusions. (Granted, you have to read the text to get that point, as the figures/graphs themselves can be misconstrued when out of context, in some cases.)

Also, the cover has a hidden message again, this year. This continues to lend “geek cred” to this report, along with the conversationally honest writing.

housekeeping – decompression

I apologize if you’ve submitted any recent comments. I’ve been swamped the past few months with work, and my free time has been spent decompressing with things like beer, pocasts, hookers, StarCraft 2, and so on. I just dumped about 10k comments which I quickly skimmed through, so I’m sure I dumped some legitimate ones on accident.

Keeping up on the latest security happenings, comments being submitted, and my own postings has been spotty at best. Things are looking to settle down just a little bit here, so hopefully I can get my own news-reading caught up as well. My RSS feeds are utterly out of control!

kidney punches from the windows dll hijacking vuln

There’s been a surprising amount of discussion about the recent Windows DLL hijacking vulnerability, often focusing on whether this is a Big Deal or something stupid. I won’t bother linking to anything or even joining in any further except to expound on my post earlier.

The DLL hijacking is interesting because, well…it’s like walking up to someone you have no reason to mistrust. You shake his hand, but while you do so, someone (maybe his evil twin who was following him) wings a hook beyond your peripheral vision and WHAM! kidney punch. Now, good twin had no idea evil twin was around, and was sincere in his greeting and handshake. But you left yourself open by shaking that hand, and evil twin dropped you to a knee for it.

We can often curse ourselves for shaking hands with the app/guy/file that throws the hook. You run an exe and that’s your problem. You run a streamed media file with malicious code, and that’s still mostly your problem (and partly the fault of the vulnerable app you used to open it). But in this case, you could open a completely innocent file, and get kidney punched.

That’s the important gist of the hijacking vuln, to me. That and the importance this places on patching 3rd-party Windows apps that are vulnerable to this method.

moaub has begun

The Month of Abysssec Undisclosed Bugs (MOAUB) has begun. Since this includes (or maybe fully encompasses) the people behind exploit-db and offensive security, we can probably expect plenty of explanation on the bugs, especially the planned binary analyses.

Seeing things like this and the people behind it, it makes me a little annoyed to be in operations for an SMB. Ops means knowing a bit about a lot of things, but rarely having the time to go into the deep dives often necessary for real security knowledge. I envy and support anyone who has that ability and time! /whine

unprotecting excel sheets

Ever solve a problem, then 6 months later need to solve it again but don’t recall how you solved it previously? That is the sort of housekeeping I’m doing with this post. I make no guarantee that the site or tool mentioned below is safe/secure for your use. Always take necessary precautions.

Have an Excel file that has password protected sheets or workbooks? I found a handy set of macros to facilitate unprotecting such files over at To be safe, I’d suggest unlocking the files, copying the contents out to a new file, and make sure no strange macros get carried over. I didn’t witness any, but better to be safe. And do this all on an expendable system. [excel password crack unprotect]