05.10.2010

Deep packet inspection is not a new concept.  It is, in fact, quite mature and takes advantages of the best of IDS (intrusion detection solutions), IPS (Intrusion Prevention Solutions), and Stateful Inspection Firewalls.   The technology is extremely effective in combating malicious code and content attacks and in enforcing policy to a variety of ends.  Additionally, the technology is quite good at providing detailed intelligence with respect to application behavior and patterns as they appear within a given infrastructure.  In modern enterprise and carrier networks this technology is both common and integral in ensuring operational efficiency while managing and minimizing risk.

Recently it has come under fire however and in at least one case, been dubbed a measure by which the privacy rights of end users can and will no doubt be violated.   The case in question is that of the recent announcement by Virgin Media to utilize and deploy a DPI like technology package called CView within its network environment in order to better understand the prevalence and associated patterns of use seen in peer-to-peer networking sessions.  The tool would be in effect, capable of tracking sessions associated with peer-to-peer networks such as Gnutella, Bit Torrent or eDonkey which has created a negative buzz amongst organizations such as Privacy International who appealed to the EU to step in and review the package proposed by Virgin Media.  Virgin’s intentions seem straightforward to me but perhaps that is due to my being an information security professional:

I have to believe the goal of using a tool such as CView (if you look the tool up you will see it does not tie individual identity information to information harvested) is pretty straightforward and reflects much, if not all of what is seen above.   I find it hard to believe that this is a case where privacy should be an issue though I am aware that in the UK under the Regulation of Investigatory Powers Act (RIPA), intercepting communications is a criminal offense regardless of what is being done with the data.   While I am no expert in British Parliamentary process or law, it would seem that this act would be prohibitive, if not crippling in providing advanced security solutions while potentially curtailing illicit, illegal activity.   Deep packet inspection is not the problem here, the problem is perception as it relates to the lengths to which personal ‘freedom’ extends and illegal activity begins.

Tags: , Filed Under Next Generation Threats, Security Philosophy | 4 Comments 

05.08.2010

One of my favorite parts of penetration testing is and always has been social engineering.   I love it.  In fact, I love it so much; I developed a real passion for it.  My passion led well beyond the traditional social engineering and evolved into the study and practice of more sophisticated techniques associated with socio-psycho manipulation.  It is a gift of sorts and who am I to question a gift?   When speaking with prospective or current clients with respect to security assessments I have often implored them to include both physical security analysis and social engineering.   This habit was formed upon entry into the world of professional security consulting where I sharpened these skills under the tutelage of many senior to me in both age and experience.   Almost all of my earliest mentors in this space were or had been active in the United States DoD or like intelligence services, most of whom shared a common pedigree not unlike my own hailing from the world of information security and intelligence.   These environments taught us to remain vigilant and open to idea that the unexpected should be expected therefore our ability to address anomalous events must remain categorically strong.

Over the years, within many engagements, activities of this nature were written into SoWs (Statements of Work for the lay person), and acted upon with full approval of parties both able to authorize such activity within and against their organizations and their legal representation (a detail I cannot stress enough that should not be overlooked).  We would engage reconnaissance carefully leveraging skills we had cultivated in our former lives and applying them to the commercial world.  We would engage in deep open source intelligence gathering and analysis in order to supplement our knowledge base regarding our target(s).  We would become familiar with the physical environment in which our targets could and would likely be found.  These locations would range from their places of business, to local restaurants and pubs, to local shopping districts to other geographic locales that we knew to be frequented by parties belonging to the organization, our target, in question.  All the while we would be looking for ingress and egress points in addition to ideal areas for initial contact and exploitation.   We would additionally identified areas in which useful information may or not be discarded by our targets that truly believed that no one would be interested (ah how I loved dumpster diving in my youth!).  Finally, upon having enough information we would begin our careful insertion and infiltration.   There is an art to doing this as much as there is a science and at times, the art becomes (or at least in my experience became), much more valuable.

These exercises almost always proved fruitful, as they would typically be multi-faceted involving multiple small teams each of which was cognizant of the others activities but all tasked with different missions during these exercises within the greater assessment.  Some teams focused more upon the physical compromise of the environment, the acquisition of credentials and knowledge which could be socially engineered or stolen and thus counterfeited to serve our purposes in pushing deeper into the environment escalating our mission per our SoW and charter.  Others would work on compromising individuals, seeking to gain their trust and subsequently their knowledge and any information considered noteworthy.  Others still work on electronic and social engineering utilizing e-mail, web and telephonic techniques all designed to gain the trust of our targets or members of our target organizations in the hopes of escalating our privileges and advancing our efforts.   This was good work.  It was important work.  And it was work that not all are capable of nor designed for.   To the layperson reading this post I imagine it sounds outrageous if not frightening that work of this nature goes on and is conducted by security professionals in an effort to test and assess the security posture of a client and to a degree I can understand that attitude.   However, this work is terribly important and often demonstrates weaknesses not previously accounted for within enterprise environments (public or private), during traditional security assessments and audits.

At this point you may be wondering whether or not there is merit in engaging a qualified team to do provide this type of service in addition to traditional services brought to the table as part of a security assessment.   My personal perspective is that if you have overt responsible for the risk posture of an organization and understand that security or the state of being secure is contingent upon the three legs of the security stool (people, process and technology) being dutifully tested and exercised you most assuredly should do so.   Failure to do so can expose you and your organization to a world of risk, which complying mindlessly with a three lettered data security standard or a mutagenic health-privacy act cannot hope to save you from.   So what are we to do?   First, if you haven’t already done so, conduct a meticulous review and analysis of your organizational information and physical security policies.   If you don’t have any now is the time to remedy this deficiency.   Should you (as I imagine most do, but will refrain from assuming), have these policies on hand review while employing a healthy dose of third party ego; remove yourself from the immediate, intimate involvement with them as they relate to your job and evaluate them as though you were brought in to do so as a third party.  Do they look mature?   Are they clearly articulated and well defined?   Are they comprehensive?   Do they address the natural bridges that occur between physical and logical security?   Provided you have the resources, engage them to conduct preliminary assessments (provided they are qualified to do so), and if they are found to be lacking in the ability, do not hesitate to contact professionals with the appropriate pedigree, background and reputation to speak to about scoping a statement of work on your behalf.   Remember that not every attack of a truly serious nature takes place across a wire and that many begin and end with a simple telephone call, a conversation around a smoking area or via a new hire.

Tags: , , Filed Under Assessment, Information Security Philosophy, Security Philosophy, Subversive Multi-Vector Threats (SMTs), risk management, threat | 1 Comment 

05.03.2010

Recently I spoke at a private conference sponsored by a global, multi-national manufacturing and biomedical organization. It was a real pleasure to speak there for me as I was doing so with a colleague and it is always fun for me to present in such a way. The topic for our presentation was influenced by information we received from the organizers with respect to their wide and diverse audience, an audience which during the initial presentation would include 130 + people in person, and several watching via streamed video in 7 different countries.   It would eventually be used by the organization to educate their 26,000 + day-to-day computer users, something to be pretty excited about. These users, like users in many other organizations ranged in experience level, some having basic knowledge of information security and others having much more in-depth experience. It was going to be a fun presentation and the opportunity to share knowledge and, in turn, be exposed to the experiences of others was going to be worth the effort.

Realizing the diversity of the audience and experience levels, we decided to produce a deck which would explore the Internet Threat Landscape touching on key ideas and concepts which the organizers believed to be appropriate for the time and audience.  We were to speak at the end of the day so we decided to encourage an interactive approach during our presentation versus the traditional academic style presentation.   We were privileged to wonderful audience response as a result.   A calculated risk but a risk nonetheless.  A lot of information was covered in a relatively short period (we lost 30 minutes of a 90 minute slot and were notified not long before taking the stage).  Lights, camera, revolution!  Opening remarks were made, obligatory joke to break the ice and set the tone, and then through the looking glass and on to the Threat Landscape.   It was going to be a good presentation. As we progressed through the deck it occurred to me that there were looks of disbelief, shock and awe appearing on the faces of many in the audience.   They dotted the local landscape the way wildflowers do hillsides in Spring.   Additionally, the knowing nod of heads could be seen as well; a good sign that the mark was being hit.  As the presentation continued to flow we began introducing common threat vectors being exploited along with a brief historical overview of malware from 1971 to the present.  I introduced the idea of evolution occurring naturally within the sub-ecosystems and greater ecosystem which accounts for the ecology of the Threat Landscape.   It occurred to me while introducing this idea to the crowd how pedestrian things become when you are exposed through research, analysis and extensive study to your subject matter and yet, how powerful and enlightening something can be to fresh eyes.  It is part of what we do which I love most; the education and subsequent recognition of the new.  It is a beautiful thing.

We introduced the concept of web based application attacks, and though we didn’t have time to provide any real-time examples, demonstrated statistics provided through our own research and that conducted by organizations like Whitehat Security, Inc. and IBM ISS X-Force. These statistics spoke to the prevalence of vulnerabilities such as SQL Injection, Cross Site Scripting (XSS), and Click Fraud; specifically their commonality in Internet based application activity seen today. Some of the statistics were shocking to the audience; you could see it in their eyes; they we not prepared to hear them; to see them; to realize what they meant to them on a personal level. Next, we introduced the concept of cyber-crime to the audience and began discussing just why someone might go through the lengths required to exploit one or more of these vulnerabilities. As the realities associated with our topic matter began resonating with the audience, again looks of disbelief appeared on the faces of some; sometimes only appearing in their eyes, while knowing looks appeared on the faces of others as they nodded their heads in agreement. This too was good.

We discussed the role of the individual operator, broached on the concept of confederations and criminal exchanges and then touched briefly upon the role of true organized crime entities in this space. In order to the drive the concept home we elected to introduce the concept of the botnet to the audience in order to illustrate some of the points we were making with respect to our topic matter. I spoke about botnet architecture, the role of cryptovirology in hiding binaries (making them undetectable by signature solutions and non-signature solutions alike), and much more. It felt good. What didn’t feel good was the realization that there is so much more education to do and how often there is so little time to do it within in order to be effective. This organization was no different than many that I have spoken at or consulted with over the years. Fortune 1000 organizations often times have the same problems as do Fortune 50 organizations. Some organizations embrace education and awareness more seriously than do others while there are some, who in order to protect the identities of those who work and toil on a daily basis in an effort to try introducing change, shall and need to remain nameless. Shattering the illusion of security via obscurity is as important within these as any other, perhaps more so. I encourage more education of this type. I believe there has never been a more appropriate time for it. The advent of Web 2.0, mobility, universal connectivity (all topics touched on in the presentation provided at the conference mentioned above), affects us all in both wonderful and potentially dangerous ways. It’s a situation akin to Pandora’s Jar where upon opening it, much danger; much evil was released into the world yet when finally exhausted, at the bottom of the box, there lay hope. We must have hope. We need to encourage this and in encouraging it, we can encourage change. Much needed change.

Tags: , , , Filed Under Security Philosophy | Leave a Comment 

04.22.2010

Full Disclosure – I am a former McAfee employee, and currently draw a paycheck from a McAfee partner.  The following are clearly my own thoughts and do not represent McAfee, my current/former employer(s) or anyone else.

Having been in the IT security industry for at least a decade, I have come to two key realizations:

1.)  The IT security industry, as it relates to vendors selling products is largely based on FUD (fear, uncertainty, doubt), and

2.) Antivirus in almost no significant way equals comprehensive security

As many across the interwebs have already brought to light, McAfee had a very public snafu with one of their DAT updates (DAT 5958).  Here is a mildly humorous link from Engadget’s site. To be clear, the point of this post is not to say the antivirus market poor or is dead, that McAfee has substandard products or solutions (usually the contrary), but that mistakes like this hurt not just one vendor or end customer, but the entire industry at large suffers.

That last part is an important point, especially in the case of endpoint security. Mistakes happen.  QA processes are not perfect, vendors are trying to cut costs at every turn to increase profitability, so these things happen.  In this specific case, if you were running VirusScan Enterprise with default settings, you will be a bit better than those who enabled “scan process by enable” or ran an on-demand scan with the 5958 DAT and scanned svchost.exe as the SVP of McAfee Support mentions in his blog post.

I see this with a lot of security practitioners where they turn on non-default options and get burned.  Again, not picking on McAfee, but they also had a recent issue in their Patch 3 release of VirusScan Enterprise 8.7i where you enable “Prevent Windows Process Spoofing” (also an option that is disabled by default).  This does not affect you if you don’t start turning on options you don’t fully understand.  So, if you are responsible for endpoint security, a few simple tips:

1.) Have an IT test environment in place.  Like Noah’s Ark, have representative systems (hardware, OS levels and apps installed) to test before you deploy.  Many large enterprises wait 12-24 hours before rolling out DATs, and those who did were largely unaffected by this issue.  Vendors like to throw around FUD here and push people to deploy reactive DAT coverage, and in few instances does security supercede system availability.

2.) Stick with the default options unless you are ready to accept the consequences – if you left the default options in place, neither of these two recent McAfee issues would have affected you.  Quit turning knobs when you don’t fully understand what they do.  A lot of us in IT assume instead of “trust but verify”.

3.) On-Demand scans are of minimal help on end workstations.  AV scanning, especially on a scheduled basis is reactive.  You already have malcode.  Use realtime protection/on-access scanning, whatever.  Save the scheduled reactive scanning for your file servers, SharePoint, and other file and data repositories.

4.) Antivirus is not total security, it is only one countermeasure.  And, most importantly it is a reactive countermeasure at that.  Regardless of what spin vendors put on it (heuristics, sandboxing, lookups in the cloud, etc.) by its very nature it is a reactive countermeasure.  Implement more/better countermeasures, which leads me to …

5.) Complement endpoint security with more than just desktop and network firewalls.  If you don’t use Host-based Intrusion Prevention on your laptops and critical systems, you probably should.  Big difference in detecting malicious code or signature viruses versus stopping malicious traffic, and there is way more to it than blocking a port or protocol.

The point of this is not to unleash a hit piece on a specific vendor or technology, but to make sure practitioners frame the security tools and countermeasures in the appropriate context.  AV won’t save you from malicious traffic for the most part, or from a targeted attack.  Just like network security is not the answer to all of your security issues.  The answer is an honest assessment of your countermeasures and their configurations, and if that maps to an acceptable level of protection versus risk.  Sounds so simple, yet the devil’s in the details.

Filed Under Information Security Philosophy, Malicious Code, Malicious Content, Security Philosophy, threat | Leave a Comment 

03.26.2010

When I think of information security in the broadest sense, I immediately think of managing and mitigating risk.   I know of no more appropriate way in which to view our discipline and have for years and years (largely due to my diverse background in both research and consultancy organizations), struggled to understand why there is opposition to this point of view.  Risk management is a widely accepted discipline within other industries, namely finance, but also within enterprise operational business models (often referred to as ‘enterprise risk management’ or ‘fiduciary risk management’).    It pains me to know end that today, in the year 2010, there is still such an egregious misunderstanding of risk management within business.  It worries me that there is so much opposition to asking and answering three very simple, yet insightful questions about one’s enterprise environment.

It troubles me deeply that there are so many misgivings with respect to the benefits associated and derived from proper management of risk and the establishment of a solid, comprehensive risk posture from which a security program and framework can be derived to meet the needs of the organization as a whole and on individual levels amongst business units and individual contributors.    Recently I engaged in a thought provoking conversation with the talented and engaging Mr. Dan J. Molina during which a substantial amount of time was dedicated to discussing this very matter.  During the conversation we discussed in no specific order many of the points, which are debated (some with greater degrees of merit than others), within our industry regarding risk management:

  1. Risk is inherent in all things; nothing worth doing (or not doing) can be said to be devoid of risk
  2. To understand risk one must embrace, not run from it
  3. Risk can be empowering if one takes the time to explore it or devastating if one ignores it
  4. Neither men or organizations of men (in business, government, or life), can eliminate risk; they can only work to manage it via mitigation with the hope of minimizing impact
  5. Too many people mistakenly equate risk management with compliance – the two are not mutually exclusive however they are by no means the same thing
  6. Risk management is hard and as a result of it being hard it is undesirable by many, as it requires. EFFORT!
  7. Risk management is an impossible or unrealistic ideal – Ranum / Schneier debate…it’s rubbish
  8. The practice of managing risk does not require the invocation of a ‘new school of thought’; there is nothing wrong with the schools of thought present and accounted for today or yesterday; adoption is a not dependent on the cohesive nature of the school of thought
  9. It is both irresponsible and fool hardy to operate as though risk does not require managing or that it is not present in all things

10. There is no way to force risk management into effect regardless of how compelling the data supporting it (actuarial data, circumstantial data etc.) is or might be

The discussion of these points gave way to another discussion on whether or not there was merit in simply ‘feeling secure’ as opposed to being secure and having to demonstrate a state of security vis a vis evidence of a mature risk posture.


We then discussed the importance of feeling secure as it relates to the demonstration of security vis a vis evidence of risk posture as they relate to the state of being secure.  For many ‘feeling secure’ as Bruce Schneier has pointed out in the past, is as or more important than actually demonstrating security via hard fact and unilaterally. I tend to agree with Schneier on this point that many would be comfortable operating under the belief that they are secure (regardless of whether or not it had been substantiated via qualitative and quantitative means), by virtue of how they feel as opposed to actually knowing they are secure.   In essence the argument boils down to a collective delusion, which finds everyone sharing the same experience; the same reality regardless of its accuracy.  This of course is dangerous at best and potentially cataclysmic at worst.

So how do we change the perceptions of risk management within our industry?  That is the question!  There are many ways to begin, though none are trivial.  The process requires us to view, as industry professionals, the subject of risk management as a legitimate discipline or not.  This is something, which cannot be legislated, nor can it be faked.   One either believes or sees the realities associated with being able to manage risk in qualitative and quantitative terms or they do not.   It is as simple as that.  Risk management exercises (provided they are under taken), are unique to the individual organizations endeavoring to learn from the process.  These organizations rely on transparency and accuracy of data otherwise their yield is worthless as it neither reflects fact nor sustains it.   Open, honest discourse related to the data brought to bear is essential to this process.   Should this be found to be lacking, then the entirety of the process must be called into question with any and all data points being held under close scrutiny.  This blog posting is not, in any way, meant to trivialize the process of risk management or over simplify the challenges associated with it.   By no means is it!   It is however, meant to be a catalyst for thought; a morsel for consideration which hopefully will (ideally), lead to more mature discussions and (God willing), help remedy the madness which clouds and obstructs our collective vision.

Tags: , , Filed Under Risk, Security Philosophy, compliance, risk management | Leave a Comment 

02.15.2010

CODE BLUEIt is no secret that the world is a complex place.   Look at any news report on any network regardless of what your geopolitical bent is and you will notice three things:

  1. Everyone has an opinion
  2. Everyone’s opinion to him or herself is right and sacred
  3. Opinions without action are worthless

I am a huge fan of Erik Erikson, the revered developmental psychologist and psychoanalyst best known for his theory on social development.  His work and research in the field of ego psychology and social psychological development was landmark and amongst the neo-Freudian community, he in my opinion stood far above his peers.   Eriksonian theory suggests that psychosocial development occurs in a series of stages, which requires successful mastery of the initial stage in order to properly prepare and set the stage for all latter stages.   Likewise, Erikson theorized that the failure to master the initial stages can have a damning effect upon development though that this not to say that one cannot recover from and overcome these obstacles and subsequently (with hard work and diligence), arrive at a place which is prime for the stage one finds themselves in (there are of course limits and caveats associated with this, especially in considering the earliest stages where in the subject is still an infant and largely dependent upon others for nurturing).   The following table depicts Erikson’s stages of social psychological development nicely.

Table 1: Erikson’s Stages of Social Psychological Development

Stage Basic Conflict Important Events Outcome
Infancy (birth to 18 months) Trust vs. Mistrust Feeding Children develop a sense of trust when caregivers provide reliability, care, and affection. A lack of this will lead to mistrust.
Early Childhood (2 to 3 years) Autonomy vs. Shame and Doubt Toilet Training Children need to develop a sense of personal control over physical skills and a sense of independence. Success leads to feelings of autonomy, failure results in feelings of shame and doubt.
Preschool (3 to 5 years) Initiative vs. Guilt Exploration Children need to begin asserting control and power over the environment. Success in this stage leads to a sense of purpose. Children who try to exert too much power experience disapproval, resulting in a sense of guilt.
School Age (6 to 11 years) Industry vs. Inferiority School Children need to cope with new social and academic demands. Success leads to a sense of competence, while failure results in feelings of inferiority.
Adolescence (12 to 18 years) Identity vs. Role Confusion Social Relationships Teens need to develop a sense of self and personal identity. Success leads to an ability to stay true to yourself, while failure leads to role confusion and a weak sense of self.
Young Adulthood (19 to 40 years) Intimacy vs. Isolation Relationships Young adults need to form intimate, loving relationships with other people. Success leads to strong relationships, while failure results in loneliness and isolation.
Middle Adulthood (40 to 65 years) Generativity vs. Stagnation Work and Parenthood Adults need to create or nurture things that will outlast them, often by having children or creating a positive change that benefits other people. Success leads to feelings of usefulness and accomplishment, while failure results in shallow involvement in the world
Maturity(65 to death) Ego Integrity vs. Despair Reflection on Life Older adults need to look back on life and feel a sense of fulfillment. Success at this stage leads to feelings of wisdom, while failure results in regret, bitterness, and despair.

At this point, you, the reader, may be wondering just what this has to do with what I typically write on here.   That is a great question and I am glad you are thinkingJ.  I believe our industry has, in many ways, met with conflicts (as described by Erikson or challenges), and failed in conquering them thusly finding itself following a derelict trajectory.   I believe several factors have contributed to this:

  1. An inordinate amount of emphasis being placed on compliance for compliance sake as opposed to improvement of risk posture
  2. A fundamental lack of value and understanding with respect to information security and all It influences in business and outside of it historically (though I feel this is beginning to change…slowly)
  3. Errant thinking and marketing campaigns on the part of certain vendors (you know who you are and as such there is no need to point you out here)
  4. The errant belief that what worked in the past will work today or tomorrow (applies to technology as well as thought / philosophy)
  5. The accepted ‘norm’ of intellectual dishonesty which has become grossly apparent to the trained eye and experienced practitioner

In terms of development, it is my opinion that the industry has progressed, though not without lumps and as a result, of incurring said lumps has approached each successive stage of development in a manner which though not ideal is certainly able to be right sized.    Should this right sizing not occur, I believe the industry at large will square and settle nicely into developmental stage 7 “Middle Adulthood” characterized by Generativity vs. Stagnation finding itself landing precariously in the realm of stagnation.   I do not do stagnation well, do you?   If not, let us continue to challenge our peers, our industry, our clients, our customers and ourselves to reclaim our industry and ensure generativity for all.

Tags: , Filed Under Cyber Defense, Information Security Philosophy, Security Philosophy, Uncategorized, risk management | Leave a Comment 

02.15.2010

Software is an essential, non-negotiable aspect of everything we experience in our daily lives.  It is a technological parallel of water to the biological realm.  All things within the worlds that govern the use and application of either software or water rely upon the sanctity and “cleanliness” of these resources in order to progress forward and ensure their existence.   Without a sense or guarantee of purity, much stands to be lost; most of which can only be hypothesized about or guessed at until an event of interest solidifies the inclinations of those who are speculating.  Consider all that you interface with on a daily basis, regardless of where you are located geographically on planet Earth.   Your communications systems, your medical and emergency response systems, your transportation systems, your drinking water and water treatment facilities, your power industry systems (end to end), your financial systems, your military systems etc etc.   This is a relatively short list and though that may be the case (and though I am fully aware of the greater scope of systems and technologies affected by software), we can see that precious little in the age in which we live exists outside the realm of engineering which is dependent upon secure software development.   Traditionally, software development lifecycles (SDLC) have been individually governed either by those parties responsible for the ‘framework’ of tools and / or coding languages which are used for development or by those parties within a given organization who have assumed responsibility for development are actively moving towards goals being set forth by their units of business which they support.  Whatever the case may be, there are certainly ample examples of glaring deficiencies within these processes, deficiencies which (when left unaddressed provided they are found or worse, ignored despite having been found), often have cataclysmic ends.

As professionals working in the business world, plying our tradecraft we need to ask ourselves, our clients, our customers and anyone else who will listen (ideally those who have a ‘Stake’ in the decision making process which impacts the generation and delivery of this code), why we allow an insecure state to exist in something so key to our everything we do.  There are many reasons one could point to for the existence of these deficiencies:

a) Meeting or exceeding expectations of the investment community

b) Exceeding the ability of the competition to get to market and thusly secure a more stable position

c) Realization of a conceptualized solution to a need / want in the absence of irrefutable data

a) Coding with security in mind is as much an art as it is a science however it can be, in repeatable fashion via soundly crafted   process & procedure in addition to training and encouragement of skill set development be achieved

b) Resource / personnel challenges

a) Self-explanatory but can certainly be expanded upon in more gross detail at a later time

a)  Art meeting science; one cannot rush greatness or soundness of design however one can, through the use and employment of the right people, process and technology achieve the goals and complete the mission

b) Patience is non-negotiable

a) People fear what they do not understand

b)  People fear what they do understand but are unable to influence and / or change

c) People fear what they cannot contemplate

The net effect for our discipline and tradecraft is that we see (and experience daily), the results of either poor or total absence of, proper SDLC.   We cannot afford to become comfortable or complacent in a system which has to date, zero accountability and as such many are looking at the present, towards the future with new, bold ideas in mind hoping to effect change.  One such organization is one which I have both the privilege and honor of being affiliated with, The Rugged Software Initiative http://www.ruggedsoftware.org/ and https://groups.google.com/a/owasp.org/group/rugged-software.  My friend and colleague, Josh Corman, along with David Rice (author of “Geekonomics” and security professional), and Jeff Williams (CEO, Aspect Security) developed this concept and, with the help / guidance of several industry figures, delivered the Rugged Manifesto and initial presentation which they presented and released at SANS Application Security Summit February 5, 2010.   This is not the first time an SDLC methodology has been proffered up for the masses however, it is one of the only times which I can readily recall that a collective body of like minded individuals from disparate elements of industry have developed a framework akin to this which they hope to see adopted by the masses as mechanism for combating the threats presented by the deficiencies I mentioned earlier and others as well.  That being said, I and my peers at Cassandra Security stand in support of Rugged.  Many of us have and continue to function in assessor & auditor capacities and understand all too well the flawed state of code in the world today through our own analysis and through the work of others.  We believe in the concept and the goal.   Do we believe that it will be adopted universally and that all software development flaws will be eliminated?  No, we do not but we are hopeful that in encouraging the adoption and support of this ideal that we as professionals, as colleagues can encourage industry to address the points I made above and those contained within the body of The Rugged Software Initiative and Manifesto in order to mitigate the risk.   Get Rugged, it might just save your life.

Tags: , , Filed Under Audit, Cyber Defense, Information Security Philosophy, Security Philosophy, risk management | Leave a Comment 

01.27.2010

This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.

Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.

My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.

By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:

1 – Confidentiality
2 – Integrity
3 – Availability

Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.

Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.

This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.

Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:

Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.

Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?

While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.

Filed Under Cloud Computing, Cyber Crime, Cyber Defense, Information Security Philosophy, Next Generation Threats, Risk, SaaS, Security Philosophy, risk management | 2 Comments 

01.26.2010

Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs).  The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD).  Were their other names for these threats in the years prior to the coining of this term?   Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest.   Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.

This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model,  regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise).   Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over.  Experience is the best teacher.  This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over.  What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.

There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”.  We need to ask ourselves why?  Why are we surprised by this rationale?  Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense?  And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics?   Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.

Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real.  As Tom Clancy said, there is a “Clear and Present Danger” here.   This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic.   To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic.  This is both foolhardy and ill advised.   This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism.    Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.

You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost.  Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they  peerless or without fault.  True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks.  This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested.   Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives.   Agendas drive everything whether we wish to admit so or not.  Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before.   The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.

Tags: , , , Filed Under Advanced Persistent Threats (APT), Cyber Defense, Cyber Terrorism, Cyber Warfare, Information Security Philosophy, Next Generation Threats, Patterns & Profiles and Threat Vectors, Security Philosophy, Subversive Multi-Vector Threats (SMTs) | Leave a Comment 

01.17.2010

The German government has warned against the use of Internet Explorer citing that Microsoft’s recommendations to increase the security zone setting to High would not make the browser safe.

It’s an interesting statement in what sure is going to continue to be a tough time for Microsoft. You’ll see that in the article from BBC that I linked above, Mr. Thomas Baumgartner of Microsoft states, among other things, “These were not attacks against general users or consumers.” That’s where Microsoft has proven to me their short sightedness in their issues surrounding flaws in Internet Explorer.

In this specific case, Mr. Baumgartner is absolutely correct in stating that the attacks against Google, Adobe, Juniper and unnamed others weren’t attacks against consumers. However, I think he’s missing a key point, with IE installed on over 60% of computers worldwide there is a better than average chance that consumers WILL SOON be targeted and this why I have issue with Microsoft’s defense against the German government warning.

My comments in this post are not intended to be an indictment against Microsoft. The fact is that Microsoft has huge market share at both the OS and application level, thus it follows that their applications are more likely to be targeted for attacks. But, it’s all in how the situation is handled and how the vendor shows they understand the long term implications of this problem. As I stated above, based on the comments reported in the press, they don’t fully understand the potential depth of the problem.

Personally, if I were responsible for IT in an organization, starting tomorrow I would think very, very seriously about taking the following actions:
- First, on all systems running IE, implement Microsoft’s recommendations in the security advisory for this issue.
- Second, have my IT administrators develop a plan to install Firefox on all systems which require a web browser and do so as the default web browser.
- Third, remove Internet Explorer from all systems unless there is a specific internal application or other 3rd business application which only supports IE. Then I would have it only installed on systems requiring access to that app, would have the security settings tuned to high and would disable as much scripting as possible.

I’m not naive, I know there are vulnerabilities in Firefox, in fact when looking at Secunia this morning I found there to be more vulns in Firefox then there are in IE (versions 5.0.1 through 8.) However, the one thing I noticed as well is that Firefox vulns were more likely to patched in a quicker fashion that IE and that the vulns reported in Firefox collectively were not as severe as the vulns reported in IE. My recommendations are based on the fact that this isn’t the first time a critical vulnerability in IE has been exploited and the only defense was to wait for the patch. This recommendation is purely defensive to a future IE zero day that goes unpatched for a significant length of time after discovery.

Granted, zero day is generally defined as an attack that occurs against a vulnerability that was previously unknown. In defense of Microsoft, it’s pretty tough to patch a zero day vulnerability before an attack occurs. However, this series of attack occurred last week and the recommendations against exploit are browser settings, not a patch. This isn’t going to work for the consumer, casual user and very likely, won’t work effectively for the large enterprise.

The reasons are simple:

- Consumers and casual users (non-IT SMBs, etc) don’t understand what these settings really mean and will be very likely to “tune them back down” once their favorite website doesn’t display correctly.
- Large enterprises with thousands of employees can’t absorb the costs of taking calls from the help desk asking “how do I make these changes again?” or trying to explain why some website isn’t working.

It’s quite simple for me to make these changes on the two computers I have in my house and to manage them appropriate. But in actuality, it’s easier for me to have my wife and son run Firefox rather than risk the “next IE zero day.”

I realize that it very well may be Firefox tomorrow if everyone jumps to that browser, but we’ve been here before with IE and we’ll probably experience it again.

Anyhow, I see no issue with the German government advising against the use of Internet Explorer and would not be surprised to see other organizations follow suit.

Again, this is not an indictment against Microsoft, rather this is about taking the necessary steps to protect your critical information and systems. Finally, let me ask you a question. Do you rely on your builder or landlord to tell you how to protect your personal information in your house or do you trust the safe manufacturer instead? For information security, rely on the security professionals.

As a final disclaimer, these views are mine alone and do not reflect the views of my employer.

Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Information Security Philosophy, Security Philosophy, Vulnerabilities & Threat Research, critical infrastructure | Leave a Comment 

Next Page »