I had a long crappy day as anyone who might follow my Twitter may have seen. I was wallowing in my own discontent when I met up with Myrcurial for lunch today. The cheshire grin on his face was something to behold. As it turns out, the weasel had been sitting on a rather significant announcement (for the last month) that he alluded to in his earlier posting today.

Myrcurial will be speaking at Last Hope! Very cool brother! His talk entitled, “From a Black Hat to a Black Suit” will be a must see for any propeller heads that have aspirations for a corner office one day.

From the talk summary:

You want it all. You can see the brass ring and you want to jump for it. But you’re scared. You don’t want to put on a suit and watch your soul shrivel like the spot price on RAM. There is another way.In this session, you will learn: why you want to do this to yourself, how to get the first job (which will suck), how to turn the first job into the next job (while still having fun), how to get the top job (sooner than you thought you could), and how to do it all without feeling like a corporate whore. You want to hack the planet? You’ve got to start somewhere.

I’ll be the smart ass in the back crackin wise.

Article Link

The SQL [structured query language] inserts that came earlier were just pablum intended to lull the Army cadets into a false sense of security. But then the bad guys unleashed a stealthy kernel-level rootkit that burrowed into one workstation, started scraping data and "calling home."

It was a highly sophisticated attack, but this time the bad guys were really good guys in wolves' clothing.

For four days in late April, the National Security Agency -- the nation's most secretive repository of spooks, snoops and electronic eavesdroppers -- directed coordinated assaults on custom-built networks at seven of the nation's military academies, including West Point, the Army university 50 miles north of New York City.

It was all part of the seventh annual Cyber Defense Exercise, a training event for future military IT specialists. The exercise offered a rare window into the NSA's toolkit for infiltrating, corrupting or destroying computer networks.

The 34 Army cadets comprising the West Point IT team operated in a different kind of battlefield, but their combat skills and instincts need to be every bit as sharp. Like George Washington said: "There is nothing so likely to produce peace as to be well prepared to meet the enemy."

The SQL injections, targeting their Fedora Core 8 Web server, were a piece of cake for these IT combatants. Each injection tried to smuggle malicious code inside the seemingly harmless language used by the network’s MySQL software. The cadets handily defended with open source Apache web server modules, plus some manual tweaking of the SQL database to "avoid any surprises," in the words of Lt Col. Joe Adams, a West Point instructor who helped coach the team.

But the kernel-level rootkit was much more dangerous. This stealthy operating-system hijacker can open unseen "back doors" into even highly protected networks. When they detected the rootkit's "calls home" the cadets launched Sysinternal's security software to find the hijacker, then they manually scoured the workstation to find the unwelcome executable file.

Then they terminated it. With extreme prejudice.

"This was probably the most challenging part of the exercise, since it required them to use some advanced techniques to find the rootkit," Adams says. And rooting it out helped boost the West Point team to the top of the pile when, in the aftermath of the exercise, the referees rated all the universities' network defenses.

For the second year in a row, the Army placed first over the Navy, Air Force, Coast Guard and others, winning geek bragging rights and the privilege of holding onto a gaudy, 60-pound brass trophy festooned with bald eagles and American flags. Adams credits the team’s thorough preparation and their excellent teamwork despite the round-the-clock schedule.

At the network control room on the second floor of West Point’s 200-year-old engineering building (which once was an indoor horse corral and still smells like it in some remote corners, according to one instructor), the IT team set up cots and, just for the hell of it, camouflaged netting. They worked in shifts, with one team member always monitoring incoming and outgoing traffic. He or she would alert other cadets -- "router guys" -- to block any suspicious addresses. Meanwhile, off-shift cadets would make food and coffee runs to keep everyone fueled up and alert. Together, the team was "faster than anyone else," Adams says.

But the way the cadets designed their network was a big factor in their victory, too. The NSA dictated some terms: All networks had to be capable of e-mail, chat and other services and had to be up and running at all times despite any attacks or defensive measures. Beyond that, the teams were free to come up with their own designs.

West Point's took three weeks to build. The cadets settled on a fairly standard Linux and FreeBSD-based network with advanced routing techniques for steering incoming traffic in directions of the IT team's choosing.

The choices in software tools for responding to any attack really boiled down to "automatic" versus "custom," says Eric Dean, a civilian programmer and instructor. He adds that while automatic tools that do most of their own work are certainly easier, custom tools that allow more manual tweaking are more effective. "I expect one of the 'lessons learned' will be the use of custom tools instead of automatics."

Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones.

"One of the challenges was when they see a scan, deciding if this is it, or if it’s a cover," says Dean. Spotting "cover" attacks meant thinking like the NSA -- something Dean says the cadets did quite well. "I was surprised at their creativity."

Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network.

And despite the relative sophistication of the NSA's assaults, the agency told Wired.com that it had tailored its attacks to be just "a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones."

In other words, grasshopper, nice work -- but the NSA is capable of much craftier network take-downs.

When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."

It can only help for the U.S. government to get its own cybersecurity house in order.

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.

You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.

As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."

1. At first you are blissfully unaware of how much you don't know.
2. Then you start learning and get overwhelmed once you learn just how much you don't know.
3. Then you learn some more and you struggle along learning all the time.
4. Then you become a professional and know everything without having to think very much.

1. At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
2. Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
   
3. You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
4. All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.