[SecurityRatty] tag: regular

Stuff You Might Like

Thu, 20 Nov 2008 10:29:09 +0000

Usually I beg off of doing posts that link to other posts (Liquidmatrix does a great job of this on a regular basis), but I was afraid that James & Dave’s usually excellent intern might miss some items of note and so I thought I’d offer up a couple of things today:

1) Gunnar has put up his speech as the Quality of Protection Keynote: “The Economics of Finding and Fixing Vulnerabilities in Distributed Systems.” Don’t worry if that title doesn’t turn you on, his post is one of the best this year. I wanted to make today’s blog post some reflection on what he says there, but I haven’t the time today and we’ll have to table that until next week. Anyway, it’s excellent.

2) Aleks Jakulin writes about The Future of Data Analysis. I spoke with a CSO who is morphing into a CRO role and one of the things he plans on doing is hiring about a half dozen data analysts. If you think better use of Security Information is in your future, you’ll want to take a look at that blog.

3) Brent Huston of the Ohio voting machine fame writes about an incident he just worked on and risk and rational security.

4) Our friend Mike Rothman and our friends at Business Of Security/Cisco are doing a Pragmatic CSO thing. Mike is always entertaining and practical (dare I say, pragmatic) so I think this should be a fun webex. Hope you’ll sign up.

Namaste Risk Geeks!

MSDN Security Issue Articles

Thu, 13 Nov 2008 20:58:00 +0000

Bryan here. The SDL team is well represented in the annual security issue of MSDN magazine – we have three articles that might be interesting to you, given that you read the SDL Blog!

First up is a code review quiz, “Test Your Security IQ”. Put your C/C++/C# security skills to the challenge by reviewing ten tricky code snippets that Michael and I devised. As an added incentive, I’ll post public congratulations here in the SDL blog to the first person who reverses the insecure hash found somewhere in the exam (not to give too much of a hint).

Next up, we have “Agile SDL: Streamline Security Practices for Agile Development”. I’ve been talking about web application security issues in the SDL blog (and in the September issue of MSDN magazine, if you missed it). However, while it’s essential to make sure that web-specific issues are covered in the SDL, it’s equally important to make sure that web development teams – and other Agile development teams – can use the SDL effectively, and the classic, phased SDL approach is not always a good fit for these teams. This MSDN article is the first public look at the new SDL/Agile methodology that we’ve been working on for the last year. This process is currently in beta with some internal Microsoft product teams and online services. We’d love to get some external feedback on it before we release it to the entire company, so please send us your thoughts.

Finally, be sure to check out Michael’s Security Briefs column “Threat Models Improve Your Security Process”. Regular readers of this blog know how important threat modeling is to secure development. This article describes methods of using threat modeling not just to identify security vulnerabilities outright, but how to use it to make other SDL activities such as fuzzing and reducing attack surface more effective.

Three articles are more than enough for one team for one month! But be on the lookout for more articles from the usual SDL suspects in the near future. As always, keep watching this space for details.

New Phishing Hits Domain Owners Accounts At eNom, NetworkSolutions

Thu, 30 Oct 2008 08:17:30 +0000

Sophos have reported a new kind of phishing campaign yesterday. Instead of the regular bank phish, or the more recent university/webmail email account phish, this new campaign targets domain registrar accounts, as per the email below: The email fakes the From address (purports to come from tech@enom.com) and ask the user to update their account due [...]

CLOUD COMPUTING - STORMY WEATHER?

Mon, 27 Oct 2008 12:46:17 +0000

Lots being written about the Cloud, most of it quite dark and gloomy. In fact I’m surprised, that Hoff hasn’t got a preso spooled up called “The Toxic Cloud” or something similarly ominous for his next speaking tour.
That said, the Economist does a great job distilling the issue into a simple statement -

Cloud computing is a trade-off between sovereignty and efficiency.

Let me ask you - if you had to put your money on one of those horses, considering your average profit-preoccupied business, which would it be? I’d put my bottom dollar on the thoroughbred named “Cost Center Reduction”, to place.

WHO ARE WE TO STAND IN THE WAY OF “PROGRESS”?

I’m always fond of Jack’s rule that the role of information risk management boils down to three deceptively simple premises:

Reduce Risk.
Reduce Loss.
Create Operational Efficiencies.

So it would seem antithetical to the charter of the Chief Security Officer to stand in the way of progress as embodied by “cloud computing” (not to mention dangerous to long-term job security). And I think that this presents opportunities to discuss strategies for managing risk, strategies that aren’t too theoretical and have practical application (though actual “cloud” use by enterprises may be rare at this point).

ON RISK REDUCTION IN THE CLOUD (or, How To Learn From the Shortcomings of PCI DSS)

The good news is, there’s already a well-established model for managing the risk around outsourcing the processing of “confidential” information. The bad news is, that model kinda sucks it.

The Payment Card Industry, known as the “PCI” or “meal ticket” to many in the industry, faced a similar problem with the introduction of GLBA. As I see it (and I’m not at all close to the PCI, at all, so this is all just abstract soliloquy) the PCI had one of two choices when faced with the prospect of other people managing their sensitive information:

Accept the *massive* amount of GLBA risk their business creates and spend a TON of money to build out the infrastructure (both process and IT) to manage the consumer data themselves (in conjunction with the banks, of course) and never have it grace the computing systems of the retailer. Or,
Transfer the GLBA risk down to the retailer and have them bear the majority of the risk (and cost of reducing risk to a level that might be tolerable to the US Government).

(Martin, you may recall our Twittering about PCI a while back. This is the crux of my view on the subj.)

Now fortunately, the CSO’s of the world are going to be a little more “invested” in protecting the information they are stewards over, and unlike the PCI, will remain primarily responsible for the C, I, & A of the data in the Cloud. The cool thing is, this actually presents a great opportunity to start building a meaningful model for co-management of risk! In fact, we can take the PCI model of contractual risk transference but modify where it goes all wrong, and start working to create something better. And we can start by euthanizing some faulty assumptions.

JUST HOW INFORMATIVE IS PCI DSS?

What might be the.greatest.mistake of the standards compliance mentality is the assumption of value for the past-state measurement. That is, I believe that the CSO needs more than some “past-state” assurance in order to understand their risk. If you look at the concept of “PCI compliance” it really is an examination of a past state of nature that is assumed to be relevant to current and future states. Many people (myself included) are not at all convinced that this past-state is nearly as informative as those who mandate it’s measurement believe it to be.

That’s not to condemn past-state measurements as completely non-informative, they most certainly are useful. It’s just that no self-respecting CSO sleeps well because they were deemed “PCI compliant” 10 months ago. They sleep well because they have good visibility into current-state information and confidence in their strategy concerning future-state (based on that visibility and the outcomes of sound IRM models).

MOVING PAST THE VULNERABILITY SCANNER INTO INTELLIGENCE AND WISDOM

So realizing this new importance (to me, at least) concerning visibility and IRM models, I’m lead to the conclusion that if we are to manage risk in the Cloud, we’ll have to move beyond “PCI Compliance” or the concept that some regular “audit” of controls in place at the host is all we need to understand our ability to manage risk. No, the CSO must have good information concerning current and probable future states. This is that “visibility” I spoke of above. In fact, we’ll need significant amounts of piercing, transparent visibility. And in order to gain that visibility, our insight into Cloud Risk Management must include significant provisions for understanding a joint ability to Prevent/Detect/Respond as well as provisions for managing the risk that one of the participants won’t provide that visibility or ability via SLA’s and penalties . These SLA’s must be expressed in measurable terms (more visibility), and those metrics must have their roots in the things that help understand how we manage risk (those aforementioned IRM models).

THE CLOUD COMPUTING SECURITY SILVER LINING (sorry couldn’t resist)

As I mentioned earlier, I do see an opportunity to create insight. The need for visibility and IRM models would allow us to create a “guidance” if you’ll allow me to use the term. Not a standard or a “best practice” to audit by, but simply a reference document that says “if you’re going to put information on somebody else’s systems and still hold some significant responsibility for that information, here’s the considerations, why they are considerations, and how you might go about collaborating on the management of risk”.

And I think that if we undertake this journey, there is going to be a lot of growth and risk management innovation along the way. But keen insights into what it means to manage risk will be necessary, and secure and forthright collaboration will be of absolute importance.

I say that last bit because, if these pundits are right about the utility of a hosted computing model - the Cloud will happen regardless of the CSO’s ability or desire to manage it.

Microsoft to Release Emergency, Out-of-Band Windows Update Today

Thu, 23 Oct 2008 03:36:15 +0000

At 10 a.m. Pacific Time today, Microsoft will release an emergency security update for Windows. The details of the vulnerability were not revealed in the Advance Notification Bulletin that Microsoft released late last night, but we can assume it's a significant one for Microsoft to go "out of band" and release it before the next scheduled Patch Tuesday, two and a half weeks from now. Out-of-band updates have been rare since Microsoft instituted the regular Patch Tuesday schedule. The Advance Notification states that the vulnerability affects Windows 2000, Windows XP and Windows Server 2003 and is "critical" for them. It also affects Windows Vista and Windows Server 2008, but is rated "important" for those operating systems.

Making Security Vendor Review a Continuous Process

Thu, 16 Oct 2008 11:23:23 +0000

The IT security market is moving faster than almost any area of technology. The churn of new companies popping up and existing companies getting acquired or disappearing can be seen by comparing a Magic Quadrant with the previous year's version. The ever-changing threat is the major driver for this hyperactivity.

Every security professional needs a list of the vendors used, including open-source projects. Don't just do due diligence with new vendors. Do a vendor check when you are renewing support or upgrading a product, and ensure that you check the status of all your vendors at a regular frequency. Have any vendors been acquired? Are they suddenly cool? Having problems with product vulnerabilities? Talking to their other customers about end of life for a product before there's a formal announcement?

We can help you with this - don't hesitate to call or e-mail us on the status of any IT security vendor before making a purchase or renewing a big-ticket support agreement. At a minimum, you may want to do this before your annual internal budget setting.

DDoS Attack Graphs from Russia vs Georgia's Cyberattacks

Wed, 15 Oct 2008 11:01:58 +0000

Part of Georgia's information warfare campaign aiming to minimize the bandwidth impact on its de-facto media platforms such as the web site of their Ministry of Foreign Affairs, I've just received a report part of Georgia's "Russian Invasion of Georgia" series entitled "Russian Cyberwar on Georgia", which is quoting me on page 4 in regard to the "too good to be courtesy of Russia's cyber militia" creative that appeared on the defaced Georgian President's web site. The report also includes DDoS attack graphs and related details worth going through :

"The last large cyberattack took place on 27 August. After that, there have been no serious attacks on Georgian cyberspace. By that is meant that minor attacks are still continuing but these are indistinguishable from regular traffic and can certainly be attributed to regular civilians. On 27 August, at approximately 16:18 (GMT +3) a DDoS attack against the Georgian websites was launched. The main target was the Georgian Ministry of Foreign Affairs. The attacks peaked at approx 0,5 million network packets per second, and up to 200–250 Mbits per second in bandwidth (see attached graphs). The graphs represent a 5-minute average: actual peaks were higher.

The attacks mainly consisted of HTTP queries to the http://mfa.gov.ge website. These were requests for the main page script with randomly generated parameters. These requests were generated to overload the web server in a way where every single request would need significant CPU time. The initial wave of the attack disrupted services for some Georgian websites. The services became slow and unresponsive. This was due to the load on the servers by these requests. As you see from the graphs above the attacks started to wind down after most of the attackers were successfully blocked. The latest attack may have been initiated as a response to the media coverage on the Russian cyber attacks."

In case you're interested in more factual evidence about what was happening at the particular moment in time, go through the following assessment - "Coordinated Russia vs Georgia cyber attack in progress", as well as through the following posts - "The Russia vs Georgia Cyber Attack"; "Who's Behind the Georgia Cyber Attacks?"; "Georgia President’s web site under DDoS attack from Russian hackers".

Change your passwords with your smoke detector batteries

Sun, 05 Oct 2008 08:26:43 +0000

If you’ve changed your smoke detector batteries more recently than you’ve changed your passwords, then you should think about changing some of them now. If you can change passwords more often, great. But I realize that some of us have upwards of 25 passwords to manage on a regular basis (click HERE). It’s not fun having [...]

Private Rockets Could Boost Military, Too

Mon, 29 Sep 2008 00:53:00 +0000

Elon Musk puts the first privately developed rocket in orbit. And that could have huge military consequences if the company can turn the one-time launch into a regular event.

Links for 2008-09-16 [del.icio.us]

Tue, 16 Sep 2008 20:00:00 +0000

Matt Flynn's Identity Management Blog: Situational Awareness in Logs & Events
The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 1) | BlogInfoSec.com
The Daily Incite - September 16, 2008 | Security Incite: Analysis on Information Security
I got an earful from folks in the DLP space about my thoughts on "poor man's DLP," basically the capabilities that come with your email and web gateways that can check for very simple regular expressions and other content matching algorithms. I maintain that for a lot of customers, this is good enough to meet the spirit of the regulations and also to address the most common data leakages. No, this probably won't wash for a Fortune 50 class mega-enterprise. But Joey-bag-of-donuts and his PCI requirements?