[SecurityRatty] tag: unpopular

Logging Poll #6 "Which Logs Do You LOOK At?" Analysis

Thu, 06 Mar 2008 12:01:00 +0000

This poll on looking at logs poll was relatively popular; lets see what we can learn (live results are also here).

First, what are the top 3 log types that people look at? They are:

Unix/Linux server syslog
Web server logs
Firewall logs

How does that compare with the top 3 log types that people collect (see picture showing results from my previous poll below)?

These are:

Unix/Linux server syslog
Firewall logs
Web server logs

Huh? They are the same - doesn't it just make sense? What are the possibilities here?

a. People only collect the logs they plan to look at, OR

b. People look at logs they collect (duh!).

Strangely, I find a) unlikely; I think most people collect more than they can review and that the incident/issue response and compliance needs drive collection more than review or analysis.

Another observation is that all of the "big 3" log types are useful for security, operations and compliance and not just for security (like NIDS/NIPS logs). Is that why they are so popular?

Second, I was fearful that "I only look at whatever logs needed for the incident/issue investigation" will win. It didn't!!! This to me indicates that proactive log review is not as unpopular as I feared. Good! It is working.

Third, obviously, nobody (well, 4%...) looks at all logs they collect.

Fourth, much more people look at Unix/Linux logs than Windows server logs (factor of 3x); this is not entirely unexpected and my next poll will drill down into this.\

Finally, I am SHOCKED that people don't look at NIDS/NIPS logs (only 11% do). People, what's wrong with you? :-) Why have you deployed those beasts if you don't look at what they produce? Then again, maybe you haven't :-(

Next poll coming up!

Technorati tags: logging, logs, polls

TSA Misses the Point, Again

Tue, 29 Jan 2008 12:13:57 +0000

They're checking IDs more carefully, looking for forgeries:

Black lights will help screeners inspect the ID cards by illuminating holograms, typically of government seals, that are found in licenses and passports. Screeners also are getting magnifying glasses that highlight tiny inscriptions found in borders of passports and other IDs. About 2,100 of each are going to the nation's 800 airport checkpoints.
The closer scrutiny of passenger IDs is the latest Transportation Security Administration effort to check passengers more thoroughly than simply having them walk through metal detectors.

[...]

More than 40 passengers have been arrested since June in cases when TSA screeners spotted altered passports, fraudulent visas and resident ID cards, and forged driver's licenses. Many of them were arrested on immigration charges.

ID checks have nothing to do with airport security. And even if they did, anyone can fly on a fake ID. And enforcing immigration laws is not what the TSA does.

In related news, look at this page from the TSA's website:

We screen every passenger; we screen every bag so that your memories are from where you went, not how you got there. We're here to help your travel plans be smooth and stress free. Please take a moment to become familiar with some of our security measures. Doing so now will help save you time once you arrive at the airport.

I know they don't mean it that way, but doesn't it sound like it's saying "We know it doesn't help, but it might make you feel better"?

And why is this even news?

So Jason -- looking every bit the middle-aged man on an uneventful trip to anywhere -- shows a boarding pass and an ID to a TSA document checker, and he is directed to a checkpoint where, unbeknown to the security officer on site, the real test begins.
He gets through, which in real life would mean a terrorist was headed toward a plane with a bomb.

To be clear, the TSA allowed CNN to see and record this test, and the agency is not concerned with CNN showing it. The TSA says techniques such as the one used in Tampa are known to terrorists and openly discussed on known terror Web sites.

Also relevant: "Confessions of a TSA Agent":

The traveling public has no idea that the changes the TSA makes come as orders sent down directly from Washington D.C. Those orders may have reasons, but we little screeners at a screening checkpoint will never be told what the background might be. We get told to do something, and just as in the military, we are expected to make it happen -- no ifs, ands or buts about it. Perhaps the changes are as a result of some event occurring in the nation or the world, perhaps it's based on some newly received information or interrogation. What the traveling public needs to understand the necessity for flexibility. If a passenger asks us why we're doing something, in all likelihood we couldn't tell them even if we really did know the answer. This is a business of sensitive information that is used to make choices that can have life changing effects if the information is divulged to the wrong person(s). Just trust that we must know something that prompts us to be doing something.

I have no idea why Kip Hawley is surprised that the TSA is as unpopular with Americans as the IRS.

Michael Vick's journey from the NFL to a jail cell

Tue, 11 Dec 2007 00:13:00 +0000

I watched CNN this morning as they announced that Michael Vick had been sentenced to 23 months incarceration for his part in organizing illegal dog fighting and animal abuse. I have never been a star quarterback so I do not know how it feels to go from being a NFL superstar to a Felon, but I bet it can't be easy.

There's not much upside to this story either. The sentencing Judge, Henry E. Hudson, was not buying the idea that it had been a "momentary lack of judgement." He described Vick as being a "full partner" in the crime. He also told him that he owed an apology to the young children who used to look up to him as a role model.

As if all of this humilation was not enough, Vick is still liable to be prosecuted under State Law. Other than an acquital, which is highly unlikely after his conviction in Federal court, the best he can hope for is to have all of his State sentence run concurrently (at the same time as the Federal time).

I recently wrote about Risk Management. For the life of me, I do not understand why one of the highest earning super stars in the NFL (his 10 year contract was reportedly worth $130,000,000.00)would not hire personal security consultants to keep him out of trouble. While a personal protection agent's main role is usually keeping his client safe from outside threats and attacks, in the case of celebrities, this often means keeping them safe - from themselves.

A colleague and I were talking last year about an assignment that involved protecting a world famous boxer who had a penchant for getting into trouble. He said that he never worried about anyone attacking his client, but he constantly worried about his client getting into trouble. This was most especially the case where females were involved. As a result he was like a baby sitter and was never able to take his eyes off of the client (baby) for more than a second. He said the money was great, but in the end it just wore him down too much.

Guys like Vick are really to be pitied. Most of them go from relative obscurity and poverty to overnight stardom. Which of us would not fold under that pressure? We see Lotto winners losing fortunes all the time. There are always too many hanger-ons, both from the old days and new found friends who are afraid to speak their minds. However, having the courage to speak up and voice an unpopular opinion might be just what it takes to keep these guys out of trouble.

They need tough love so they don't swap their Armani for prison stripes. If you come across any super stars to be, tell them about us. We'll keep them safe. At the same time we'll keep them out of lawsuits, gossip columns, bankruptcy courts and jail. It's probably too late for Vick. At the time of writing his houses are being auctioned off and the creditors are moving in.

As I said before, this is the opposite of Risk Management. This is avoidance. We all have risk. The secret is knowing how to best manage it.