cyberraid 0 red team event recaps at hir

(Cool, my [work] web filter isn’t blocking HiR as criminal hacking anymore. Sweet! [Yeah, I know I can make exceptions in it since I control it, but I don’t. This is *one* reason why I’m so late in seeing these!])

Ax0n and Asmodian X have posted some excellent thoughts on their experiences during the CyberRAID 0 event in KC. I’ll follow with a couple thoughts of my own.
Ax0n (blue team): part 1
Ax0n (blue team): part 2
Ax0n (blue team): part 3
Asmodian X (red team)

Egress filtering. Firewalls were sexy 10 years ago. Ask any pentester today and they’ll say external scanning is usually pretty boring now. But for as far as organizations have come with ingress firewall filtering, far too many still suck horribly at egress filtering. I really like further evidence of that value. Yes, it’s hard to get going in a production network without making mistakes and ‘discovering’ business requirements the painful way…but this is one of the higher value efforts that many organizations still leave undone.

Pointy-Haired Boss. While many business requests end up *becoming* reasonable with some communication of the risks/costs, there are still plenty that just defy explanation and may nearly get put into place anyway, despite being bad, bad, bad. I’m glad Ax0n brought this up in part 2. Sometimes a little deception is used, to keep risks properly handled.

Defense is tough. This is an old horse, but still worth flogging. Defense involves not just fighting with attackers, but also keeping your own facilities up and properly working (scoring), backups and recovery from incidents, meeting business demands, inheriting things you didn’t create, and even learning brand new things (e.g. Asterisk) because, well, you have to. Not to mention all the soft-skills that come into play.

Attacking threats is tough. I support people in positions where they are able to actually attack threats, but most business is not in that position. The reality for most organizations is exactly what Asmodian X said, “Law enforcement is worthless unless you have done the leg work and provide them with useful information.” And yet, look out when the attackers start collaborating!

incomplete: on running faster when chased by bears

Common security analogy: “When you’re chased by a bear, you just have to run faster than the guy next to you!”

I continue to hear this analogy, and like pretty much any analogy it has holes if you look too closely. So the contrarian in me gets restless when I hear it (or insinuations of it) a few too many times. Lord knows I’m sympathetic to analogies and try not to get too far beyond the spirit of their point, but the over-used ones lose that privilege eventually!

1. Assumption: the bear is rational. I’ll run (pun unintended) with this further…

2. Assumption: the bear will survey all of his possible targets and choose the one most accessible. The bear may not know all of the possible targets, or not even bother trying to make himself aware of all the possible targets.

3. The bear may not properly evaluate the targets he does see.

4. Again defying rationality, the bear may just go after whomever for strange reasons. Maybe the last target he ate that was wearing a blue vest tasted good.

5. Assumption: the bear will stop after he takes yoru buddy down. If a blanket, automated malware campaign is released, it will probably not stop at one success, but rather keep going to get as many as possible.

6. Assumption: there is only one bear. I’m pretty sure there are more attackers than just one mean ol’ bear.

7. Assumption: that you even realize there is a bear about. Let alone where he’s coming from, how fast to run, how the bear will respond, or whether the bear learned how to shoot a crossbow. (Yes, a crossbow.) The game may not be about outrunning the threat.

8. What about the bears of opportunity? Not every bear is a threat, but if you get complacent because the last 10 bears just ambled on by with barely a sniff, doesn’t mean the next one won’t take a swipe as he lumbers near. Can you tell a bear from a boar in the dark as it shuffles around? Or do you just run from everything that may be a threat…including your customers?

Blah, blah, blah. I had to get that off my chest a bit. Maybe this is a better picture. You’re in the woods. You and some buddies and about 500 other people. There are lots of animals and it is dark, the foliage is thick, noise is everywhere. There are also 100 bears. Some of these bears are large and obvious, but others kinda look a lot like your buddies or other people. Strange, I know! But the point is really that you can’t plan your security around simply being better than the others in your industry. In fact, others in your industry, strictly speaking, shouldn’t even be an influence (in reality, they are, but that is just good strategic management-thought).

verizon releases pci compliance report

Verizon has released an awaited follow-up to their annual DBIR. This release appears to focus on the correlation between data breaches and compliance to the PCI DSS. The report is near the bottom.

I can definitely say that the press release initiailly rubs me wrong for two reasons. First, I think it is obvious (at least to us) that activities that improve security (e.g. align with PCI suggestions) will, uhh, improve security. Second, anything that insinuates security via compliance sets a dangerous tone, namely that if you’re compliant you should be secure.

However! From my very superficial skimming of the pdf, this report looks much more interesting than just those two points up above that the press release seemed to salivate over. I’m also nitpicking that press release pretty hard. It might be one of those things where you see the title and opening paragraphs and suddenly start seeing red and it colors the rest of the text with that hue.

Picked this news up from Jack Daniel.

ever heard of the movie foolproof?

A few thoughts on a movie I watched this weekend that I’d never heard of before: Foolproof. Kudos to either the technical advisor or writer/director of this film for their research.*

1. Good lord, lockpicking done right?! Multiple times?! Indeed, not only do we see one of the protagonists pick several locks using *gasp* both a tension wrench and pick, but in at least one of those attempts it isn’t *double gasp* immediate! They even mention how it is taking him over 4 minutes to pick. I about fell over during that scene.

2. The protagonists are essentially doing red team activities, with an emphasis on physical attacks. To me, this sounds like a very healthy endeavor, even though they’re targeting companies they’re not affiliated with. One thing I liked, especially in their plans, is the lack of hollywood dramatic license. Or rather, diminished use of it. I appreciate that…unlike the nonsense dialogue of Swordfish or stylized file browsing of Hackers. This is more like Sneakers only without the sci-fi-esque prize (encryption decoder box).

I had more things to say last night, but I’m in a hurry this morning, so suffice to say I enjoyed the movie quite a bit, even though I see it was a terrible financial failure back in 2003. Give it a try!

* Minus one scene with the ever-present sharpening of a grainy image to read text on it. They came ever so close to pulling this off appropriately! They even had the dialogue correct and even sort of cut away from the usual telltale problem most films fall into, but you can still tell the print-out of the image is far clearer than it should be from a grainy security camera, even with some diddling to tease out some contrast to read text.

did that dead horse move? hit it again anyway!

Just another example from e-week about the trade-off between productivity and security. Too many people still act, often in an implied way, that security can be met without any impact on productivity or that productivity at any risk is justified. Or imply that security is only a technical problem that needs to stop getting in the way.

Federal executives said cyber-security measures impacted “information access, computing functionality and mobility” and reduced their productivity…

Aside: I still believe the use of just one comma in a three-item list is wrong and it bugs the crap out of me. (aka “serial commas”)