[SecurityRatty] tag: game

The "A"

Mon, 01 Dec 2008 10:57:00 +0000

Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.

Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.

Schneier for TSA Administrator

Tue, 18 Nov 2008 10:46:24 +0000

It's been suggested. For the record, I don't want the job.

Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I'll go ahead and add mine.
[...]

And by "revamp," I mean "start over." Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed not to make us safer, but to make us feel safer by making it increasingly inconvenient to fly. TSA's approach to security is too reactionary -- too set on preventing attacks and attempted attacks that have already happened. And please, whatever you do, resist the temptation to let TSA workers unionize. Security from terror attacks should be a federal jobs program. You need the authority to fire underperforming screeners quickly and effortlessly. Three game-changing possibilities to head up TSA: security guru Bruce Schneier, Cato Institute security and technology scholar Jim Harper, or Ohio State University's John Mueller.

Although I'd be happy to see either Jim or John with it.

I don't want it because it's too narrow. I think the right thing for the government to do is to give the TSA a lot less money. I'd rather they defend against the broad threat of terrorism than focus on the narrow threat of airplane terrorism, and I'd rather they defend against the myriad of threats that face our society than focus on the singular threat of terrorism. But the head of the TSA can't have those opinions; he has to take the money he's given and perform the specific function he's assigned to perform. Not very much fun, really.

But I'd be happy to advise whoever Obama choses to head the TSA.

The job of the nation's CTO would be more interesting, but I don't think I want it, either. (Have you seen the screening process?)

AVG does the right thing

Fri, 14 Nov 2008 05:14:45 +0000

Although I still believe AVG was careless with their recent release, I respect their willingness to put "some skin in the...

AVG does the right thing (Updated)

Fri, 14 Nov 2008 05:14:45 +0000

Although I still believe AVG was careless with their recent release, I respect their willingness to put "some skin in the...

What is the best way to find a P.I.?

Fri, 14 Nov 2008 02:32:00 +0000

Where would you find a good P.I.? Should you even settle for good? Wouldn't it make more sense to find a great one? PInow.com Investigation news gave some useful pointers in their editorial yesterday.

I decided to write about this after seeing a request on a local listserve. I wrote and advised the person that it would be difficult to judge the quality of the investigator by such a general posting. To my amazement, the reply came back; "I know...some time I just post the job, close my eyes and hope for the best".

Hope for the best? Surely nobody would say such a thing to their client when they are getting that retainer. I can understand "hoping" for the weekend to be dry if you are having a picnic, or "hoping" that your football team wins the game on Sunday...but "hoping" an investigator does a decent job?

One of the better and more professional way to find a reputable investigator or investigaive agency, is to contact a local State association such as PIAVA (www.piava.org), or an international association such as the Council of International Investigators (www.cii2.org). Members of these associations have not only been carefully vetted, but they are held accountable since their professional reputations are riding on every assignment.

Good investigators can help your attorny win that child custody case, save the company from a false suit by an unethical employee claiming a make believe injury, help you find the fraudster that ran off with the company's clients or funds and many other useful tasks. A bad one can take your money and give you next to nothing in return.

Please make sure you only ever hire the good ones.

Show 032 - An Interview with Jeremiah Grossman

Thu, 13 Nov 2008 23:17:49 +0000

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

Jeremiah Grossman
Clickjacking
Adobe 0-day Browser Exploit
Cross-Site Request Forgeries: Exploitation and Prevention [PDF]
Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
Web application scan-o-meter
The “Wall of Fame”

Game on!

Tue, 04 Nov 2008 21:00:00 +0000

In my last blog, we looked at increasing complexity on the part of both the “good” guys who are building legitimate businesses and on the part of the “bad guys” who are building a “dark network” of sorts that is remarkably like the first. Today, I’d like to dig into that and look at a system for explaining this; and I thought I’d use the phrase we used playing street hockey in my youth in Canada when the cars cleared the road, and the game got serious again: game on!...

Links List 10.31.08

Fri, 31 Oct 2008 18:10:53 +0000

Happy Halloween!

What an interesting time to hold a technology conference. The DLA Piper Global Technology Leaders Summit last week brought together CXOs from Amazon, Walmart.com, Stanford, Safeway, Microsoft, Sun, Cisco and others to discuss the state of IT in general and how the economy is impacting it. Some highlights:

“Cloud computing for large enterprises is a dead duck, in the opinion of several venture capital firms.”

“The current slowdown in the U.S. macroeconomy is definitely going to hurt the IT industry, as it will most of the nation’s businesses, for at least the next year and most likely into the next two years.”

NetApp cancelled its first user conference slated for 2009 citing economy-driven restrictions on business travel.

We recently wrote about the possible upside for MSPs in this economic downtown. A survey from EquaTerra of more than 200 outsourcing service suppliers announced that “more than 40 percent of those polled had seen increased demand levels, despite the economic downturn.” The survey suggests that outsourcing projects are changing, with a strong focus on quick return on investment replacing longer-term initiatives to improve end-to-end business processes, according to InfoWorld. So as we saw during our own surveys this year, it looks like IT will spend time and money against the practical projects that should and could get done and not taking on ITIL and CMDB projects.

Jonathan Schwartz as a puppet talking about open source and his ponytail. The driest Sesame Street take-off you’ll ever see. Check out the video here. For those of you playing a drinking game at home, “ponytail”.

Denise Dubie posted a follow up to her article Novell’s Managed Objects buy, and shared insights from different commenters, including yours truly.

One of our favorites, the IT Skeptic was featured on John Willis’ blog this week, answering some questions about CMDB, ITSMF and more. He also provided his insight into IBM Tivoli, although he “tries to stay non-partisan”.

Inexplicable. HP posted Halloween-themed videos about datacenters on YouTube this week. Unlike the great IBM videos about the mainframe, these videos speak techno-babble without tempering the lingo with being funny or tongue-in-cheek. Various frightening creatures share information on service management processes and discuss virtualization techniques to help consolidate hardware. Scary.

Building for the future

Tue, 28 Oct 2008 21:00:00 +0000

For most IT leaders, bound by long-standing infrastructure choices and loads of legacy systems, it's little more than a parlor game.

New To The Team - Old To The Game

Tue, 21 Oct 2008 09:57:48 +0000

Welcome, come on in, have a seat. There is a cold beer in the fridge, help yourself!

I may be new to the team, but I’m (reasonably) old to the game. My name is Tyler Shields and I’m the latest addition to the Veracode research team. I started at Veracode in September 2008 as a Senior Security Researcher and have been immediately thrown into the fire. Working for a fast paced, highly energetic company like Veracode, keeps you busy and challenges you every day. I plan to blog on the most interesting pieces of my work with Veracode and hope that you find it enlightening or at the very least entertaining.

In the past I have worked as the security engineer at a .com startup, as an incident response and forensics specialist for the United States Postal Service (think HUGE network), and most recently as a security consultant for @stake and Symantec. I have consulted on engagements for Fortune 500 companies, most major financial institutions, and the highest levels of the United States government. As a consultant my focus was on anything related to application security including, application penetration assessments, product security assessments, secure development lifecycle consulting, and secure application architecture engagements. I lead the @stake/Symantec Application Security Center of Excellence that was used to help guide the knowledge of the global consulting team. I also spent time as the lead for the Symantec Vulnerability Research program in which a number of interesting vulnerabilities were discovered and publicly released. In my spare time I enjoy reverse engineering and malware research. I recently completed my graduate degree in Information Security/Computer Science from James Madison University in Virginia.

So… Here’s to a new job, a new blog poster, and of course lots of fun to come.