Tuesday, July 25, 2006

On NEW "10 Biggest Myths of IT Security"

So, the DarkReading folks posted this fun list of "10 Biggest Myths of IT Security"; check it out...

"The List:

  1. 'Epidemic' Data Losses
  2. Anything But Microsoft
  3. Vendors Have Your Best Interests In Mind
  4. Separate Physical, Electronic Security
  5. Employees Always Trustworthy
  6. Bad Guys Are Winning
  7. Hackers Are a Necessary Evil
  8. Antivirus Software is 100% Effective
  9. Clean Bill of Health Attainable?
  10. More Spending = Better Security "

And, of course, others started promptly shredding the list (like the enlightened Mike Rothman here, here and here). Reading the latter is actually more fun than the myth list itself.

My Fave Security Feeds via Google Reader

I pondered using Bloglines, but it turns out that Google Reader also got this feature now. So, check out my list of fun security RSS feeds

Monday, July 24, 2006

TaoSecurity: SANS Log Management Summit

So, Richard Bejtlich produces his fun and informative (as usual) expose on SANS Log Management Summit . He actually highlighted one the central pieces of the summit - Top 5 Log Reports. Right now, they are:

"1. Attempts to Gain Access through Existing Accounts
2. Failed File or Resource Access Attempts
3. Unauthorized Changes to Users, Groups and Services
4. Systems Most Vulnerable to Attack
5. Suspicious or Unauthorized Network Traffic Patterns"

As I mentioned before, other interesting views on the SANS Log Summit are Randy Smith, LogLogic Blog and my own as well.

"Zero-day Wednesdays"

Here is a ridiculous post on a "Zero-day Wednesday." Read it and ROLF (or 'ROFW', where 'W' is for weeping)

And this is the most uber-ridiculous part:

"Instead, either he or his bosses will use this information for corporate espionage, to create what's called a zero-day attack, using targeted Trojan horses that exploit an unpublished flaw. Worse, they'll wait until after Microsoft publishes its latest patches on the second Tuesday of the month."

So, lemme understand: you got this little research and you develop a 'kewl nu 0day." Next, instead of using it ASAP, you wait until MS finds the same bug, issues a patch on Tuesday and then -boom!- you go and attack someone with it... Riiiight! :-)

Sunday, July 23, 2006

Logs in A Recent UBS Case

I am sure by now everybody heard about this UBS case, mostly due to a sneaky "he is a hacker" defense tactics ("@Stake had employed hackers [oh, horror - AC :-)] and Adams questioned several witnesses about whether hackers could be trusted with critical evidence...").

But there is another less well-covered aspect of this: logs. Here is an example: "Faulkner testified Wednesday that logs of any kind are poor forensics evidence. " I suspect he is talking about "logs=hearsay" argument, which might or might not fly.

Moreover, it gets deeper: "Faulkner said the logs can't be trusted as a form of evidence because too many of them can be edited by a root user. And he added that there are different means of access, for example, that aren't recorded in a specific log. Faulkner said user history logs can be edited by a root user, as can SU logs and command logs, which record what commands were made on the system. ''The logs are more for accounting,'' he told the jury. ''They're not designed for investigative purposes because they don't log everything.''

It makes little if any sense to me. From what I read (yeah, I know, IANAL, etc) just saying that something can be done does not invalidate the use of logs. Yes, UDP can be be spoofed, injected and intercepted, but that clearly doesn't lead to all syslogs being thrown out all the time. Yes, files can be modified, but it doesnt' mean they actually were.

So, what logs specifically were used: "VPN logs, WTMP logs [...] and SU (Switch User) logs." Are they guaranteed to always be bad evidence? Definitely not!

Here are some more interesting comments on the same case (and, not, I didn't write them :-))

Which Year is That?

While I am not a pack rat, I found this old issue of a certain (it would be clear later why I am not dicslosing it) security magazine when I was packing my stuff to move to California. This mag issue, dating back to 2002, covers a few of the predictions for 2003-2007.

So, here are the "5 Biggest Security Threats, 2003-2008

1. "Super" Worms - they came and went, so its a 'yes' (Slammer does fit their definition)
2. Stealth Attacks - probably a 'yes' although prediction is way to fuzzy to check
3. Automatic Update Exploits - didn't really happen yet
4. Routing/DNS Attacks - yep, this one is a 'yes' due to DNS
5. Combined Cyber/Physical Threats - this one was clearly there for marketing reasons :-)

Also, can you guess - without googling, of course - what magazine was that? :-)

Friday, July 21, 2006

On Drones

Just a fun blurb, if you into that sort thing:

Defense Tech: High-Flying, Secret Drone Unveiled: "Skunk Works is also trying to rig Polecat up with 'a fully autonomous flight control and mission-handling system that will allow future UAVs to conduct their missions, from take-off to landing, without the intervention of human operators,' Jane's adds."

It does sound cool, doesn't it :-)

How Not to Sell Security to Enterprises

Enterprise Architecture: Thought Leadership: Venture Capitalists: Please teach your portfolio companies how to sell to enterprises

Slightly paraphrased anti-advice from the article:

1. The answer to every question should not be 'Yes', as was thought in the past, but 'Yes, and Sarbanes-Oxley too' :-)
2. If asked about your CTO's blog, ask 'C-what-O?'
3. 'Open-source software? We just use Windows 2000 everywhere!'

:-)

Thursday, July 20, 2006

Appliances are from MARS, Crackers are from Venus :-)

This simply defines a new low in hardened appliances :-)

"A malicious attacker could also execute remote code on a CS-MARS appliance and gain administrator privileges via an optional JBoss JMX console. "

What Security Do You Do?

Warning: philosophical content ahead! :-) Here is a question: what security do you do? The common answers that I've heard are:

  1. "Computer security"
  2. "System security"
  3. "Network security"
  4. "IT security"
  5. "Data security"
  6. "Information security"
In addition, "information assurance", "IT risk management" (which is likely to be a bit different though) and other less common responses are there. So, why ponder this obtuse subject? I think in this case what you think you do affects how you approach security. For example, if you do "network security" you likely tend to think in terms of packets, flows, IDS signature strings, etc. If you are into "system security" you "harden", "securely configure", "patch", etc.

Where am I getting at? Is there the best choice? Yes, it is "information security"! Information encompasses data, resides on systems, flows through the network, etc. My advice is to do "information security" since it allows for a broader view (but without sacrificing depth) and to make you more future-proof, as far as our profession is concerned...

Here is a Results-driven Strategy... :-)

I think I blogged about this book some time ago, but here is another fun blurb, borrowed from here.

"QUESTION:

'How can we repurpose our results-driven strategy for scalability and a maximization of best-practice, frictionless, future-proof alignment moving forward?'

How would you answer?

(A) 'Excellent question, boss! Let me interface with my people off-line for cross-departmental buy-in and I will ping you later. By the way, that is a world-class tie you are wearing!'"

For B), C) and D), go read it.

On "Is Security Boring?"

I've been meaning to blog aboit it for quite some time. So, "Is Security Boring?"

So this guy from nCircle says: "Sometimes I think it's like being a cop... at first you're all excited to be making a difference. You're going to save lives, make the world a safer place. Fast forward 10 years later, and you're probably well jaded after busting the same junkies 1000 times, the same person that beats his family and never learns, the same thieves that keep getting in trouble. In short, people rarely learn and they keep making the same mistakes." Etc, Etc

Overall, I thought about it and the final conclusion is: depends on the mindset. In NLP parlance, if your metaprogram is "sort for difference" you would find different things out there and if you "sort for similarity" you will find things to be the same. So, obviously:

* IPS is just a layer-7 firewall OR IPS does different things from the old Gauntlet
* XSS is just another validation error OR XSS is a new attack

I am too lazy (or too busy!?) to come up with more examples, but if you seek boredom - "security is boring." If you seek excitement - it is truly exciting! And, why would somebody seek boredom is beyond me...

On Obvious II

Here is a perfect addition to my collection of "obvious=stupid" in our security realm. Quoting from RationalSecurity blog:

"The first of many 'Captain Obvious' quotations oft times contradicted further on in the article to fill up the word count:
* But it was the critical holes that caught most security experts' and managers' attention. [!-hmm, I wonder why]
* Anything that is ranked as critical and allows an attacker to take control of a system is very high priority [!-they should have said 'everything critical is of critical priority. duh!]
* An anonymous user from outside could deliver malicious traffic [!-wow, this is serious, guys]
* I wouldn't be surprised if you saw an exploit being publicly released tonight or tomorrow ..."

The source of this is - oh, horror - DarkReading, which is otherwise high quality!

On Security Industry Evolution

Here is an unusually good piece from an "SC Magazine" (I guess they fired some of the assclowns they used to have) Some insightful quotes of note follow!

This one is a response to the whiners who say that in a few years security will get absorbed in the infrastructure:

"'In the real world, information security is there to make up for shortfalls and mistakes made by the infrastructure side,' says John Pescatore, a Gartner analyst. 'If everybody configured their servers correctly, you wouldn't need security [companies]. However, we know people make mistakes. Things get misconfigured. If the only security we have is built into the infrastructure, we're dead.'"

A fun VC quote:

"Security is like any other space people are investing in," he says. "There are some bad ideas out there being funded, there are some nice-to-have ideas being funded, and then there are a handful of game-changing ideas beings funded."

A dumb quote from a vendor who is desperate to be bought:

"I think innovation has crossed over to the point where the small company is no longer the organization the customer looks to to provide a product..."

And a final conclusion from this Cybertrust guy:

"I personally believe IT security will not disappear," Becker of Cybertrust says. "I think it's distinct enough from the routine stuff. I believe it will remain a standalone industry."

It feels good to know that what we do is "distinct enough from the routine stuff"!

On Antivirus Failures (?)

Wow, is this news or what? I didn't have that much respect for the AV efficiency, but I didn't think that it has an 80% miss rate: "'At the point we see it as a CERT, which is very early on -- the most popular brands of antivirus on the market … have an 80 percent miss rate. "

How does one explain this? I suspect those guys took all the spyware and badware universe and just checked how many of those "baddies" were caught by the vanilla anti-virus folks...

In general, this drives the final (?) nail in the coffin of "malware for everybody" and illuminates the bright future of "malware for its victim."

On State Security Laws

Here is some useful info on all the US state laws related to the security which were passed in 2005/2006. The info is assembled by the Multi-State Sharing and Analysis Center (MS-ISAC).

Here is an example:

"Arkansas: An act to provide notice to consumers of the disclosure of their personal information and for other purposes. (Signed by Governor 3/31/2005, Act. 1526)

Connecticut: Requires a business to notify consumers of a breach of personal information without unreasonable delay. It prescribes the method of notice and the options and form for substitute notice. (Signed by Governor 06/08/05, Effective Date for Breach Notification section 1/1/06, Public Act 05-148)

North Dakota: Requires disclosure to consumers of a breach in security by businesses maintaining personal information in electronic form. (Signed by Governor 4/22/05, Chapter 447)"

etc.

In general, ISACs have a reputation of being a historic failed attempt at data sharing, but this one seem to be doing something useful...

Wednesday, July 19, 2006

Small blurb on vendor bias...

Check out this "survey" - the clearest example of vendor bias I've seen in a while. It proclaims: "With more than 70% indicating they were “somewhat” to “very” concerned about potential loss of data."

Isn't it interesting that if a data security vendor does a survey, the top concern is data security. On the other hand, if an anti-malware vendor does a survey, worms and virues top the charts...

Tuesday, July 18, 2006

On 2006 CSI/FBI Survey

I would not go as far as to say that it is "harmful", like Chris Walsh did here. It certainly provides humorous relief. For example, I've noticed a discussion in CSI Alert Newsletter on why the incident loss numbers are falling every year. Yeah, I can answer this one: because the numbers are not statistically solid...

Emergent Chaos: CSI/FBI Survey considered harmful: "The latest 2006 CSI-FBI Computer Crime and Security Survey has been released"

Chris also suggests how a security survey can be improved: "A computer scientist, an economist, and a survey researcher need to gang up on this. The economist and CS guy can get the NSF money, and the survey researcher can spend it the right way: on a statistically valid sample and techniques proven to increase response rate. "

Randy Smith on SANS Log Management Summit

Here is another interesting account of the SANS Log Management Summit that I already blogged about. Randy points some things I missed in my story. Here is his - "Take Aways from SANS Log Management Summit": "It was a fascinating week at the SANS Log Management Summit."

I like some of his points, such as this (I regret :-) I didn't spell it out as succinctly as he did): "Log management is not a pure security effort and the smart IT security officer will work with others especially IT operations, compliance and legal teams to ensure the project gets funded, maximizes value, enhances legal recourse against bad guys and doesn’t introduce new legal risks associated with privacy."

And, further: "To justify the expense of a top shelf log management solution you have to realize that log management is Security, [IT] Operations and Compliance folks from all three areas need to support and pay for the project."

For other fun bits, check his full post.

On Intuition

Everybody wants their product to have the "intuitive user interface." But what does that mean, exactly?

Check out this insightful post on the subject: Creating Passionate Users: Intuition - "Making the user interface “intuitive” is often our highest goal when we do our professional work [...] Mostly it means that people can quickly understand the UI, or that they get the feeling the UI disappears in their work. "

On Taxonomies of Security Pros :-)

Here is some fun (no, really!) blog post from Richard Bejtlich on "How Do You Fit Into the Security Community?" or a taxonomy of security professionals.

Are you an ivory-tower Academic? A sneaky Hacker? A lawful Policeman? A lying (or truthful...) Consultant? A code-flinging Developer?

Read this post (and the comments) and you'd know :-) but don't take it too seriously...

Friday, July 14, 2006

Logblog on SANS Log Management Summit

Here is another fun account of SANS Log Management Summit, this time from our corporate blog. It has a more detailed account of the lawyer talk as well as other stuff. One more interesting thing that Ben Wright said was that keeping "logs of log management" i.e. records about what was reviewed might sometimes be more important that keeping the logs themselves since it proves "due diligence" as well as "lack of negligence."

More on log management as a market

Here is a fun bit from the ever-so-enlightening Mike Rothman. I am quoting it in its entirety:

"Finally, I didn’t see the log management market happening in January, but it’s here. Many of the SIM vendors are trying to re-position in this space, and for one or two it may even work. But there will be the inevitable consolidation here as well, but more likely with systems management vendors (IBM, HP, CA) or storage folks (EMC, NetApp) breaking out the checkbook as opposed to Big Security. The main buyer for Log Management is the compliance guy, not the security guy – making it more of a systems management/storage discipline over time."

The latter part of the comment I attribute to the ongoing compliance with big things like ITIL and COBIT, which apply to IT governance, and not just to the "SOX of the day" :-)

On Obvious

I guess I should start a collection of deeply obvious and thus near-idiotic things that [fake] "security experts" like to proclaim.

Here is one highlighted by Fred Avolio's Musings: Removable media in the workplace can become a security timebomb. Wow, what a revelation!

The second was from the ISSA Journal; it was a paper on DoS attacks written under the theme of "don't underestimate DoS" :-) Oh, really? I thought the proper response to DoS is to look the other way :-)

I am just waiting to log more of this type of writing, such as that "viruses are bad", "attacks will continue", "security is a problem", etc.

On SANS Log Management Summit

So, I have a lot of fun comments from SANS Log Management Summit and too little time to post. Here are some general ones; I will probably go into details early next week.

One fun bit was from a lawyer talk. He suggested that security policies need to be as vague, losse and flexible as possible so that if you are dragged to court, the jury won't find that a) you had a very specific written policy, b)you were aware of it and c)you patently didn't follow it (for whatever reason). Result? Jail time for negligence! :-)

Overall, the conference is probably the most useful one I attended, ever (!) Yeah, there was a boring speaker or two, but overall the quality was awesome and a lot of fun material came to light. In addition, it looks like SANS will be helping with a log standard initiative! Let's see whether this time it will work...

I also did my first vendor panel in my new role of a Director of Product Management. It sure was fun, if a bit stressful at times. Unlike in my previous job, I actually believe in LogLogic technology and can defend it against evil competitors. From the panel and other meetings I realized that while some are still confused about the differences between SIEM and log management, there is a core of people who understand it and either deploy both (if needed) or choose wisely to satisfy their requirements.

Let's see what Richard will blog about the conference :-)

A "Big Ten"

So you got you "kewl" little security start-up, but what's your "exit"? Whaaat? You are not thinking of the exit, just yet? Well, let's hope your CEO does... In this post, Matasano folks expose, for lack of a better word, a list of common security exits for smaller vendors.

Matasano Chargen » A “Big Ten” Roundup of Acquirers: "It’s a bit gauche (for lack of a better word) to post something like this; it’s kind of “not talked about” inside vendors."

The list has IBM, Cisco, EMC, CA, Symantec, Verisign, Juniper, BMC, McAfee and Checkpoint, but check out the article for some fun commentary from the Matasano crowd.

On PCI and teeth :-)

OMG, where is the world going. First, toothless HIPAA (don't even try visualising a toothless hippo :-)), now another horrible revelation: PCI is toothless too: "Another factor in the slow pace of adoption is the perception that PCI, unlike government mandates, is a private standard lacking enforcement teeth"

I actually kind doubt that PCI has no bite, but if the rumors are true and CardSystems truly was the only company that suffered PCI action, that maybe it is true...

On Stratfor Forums

As those "in the know" already know :-), Stratfor (you are a subscriber, right?) launched their discussion forums. Check them out, a lot of fun discussions are going on there (if you are into that sort of thing :-)). Here is one example: forums.stratfor.com :: Causes/thoughts on the US trade deficit?

Just How Many AV Sigs Will the World Tolerate?

Dark Reading - Application and Perimeter Security - Malware Volume to Double by 2008 - Security: "At the current pace -- 2006 should see more than 60,000 new threats, up from the 56,000 during 2005 -- the 400,000 barrier should be broken in under two years,"

Is anybody else asking this question: does the current anti-virus model make sense in the long-term? Maybe Sanas and others will rule the world with their signature-less AV? Or will they?

Tuesday, July 11, 2006

Arrived at the Log Management Summit

I just (hmmm, at 1:30AM...) arrived at SANS Log Management Summit in DC. I am doing two fun things here, for those who want to attend them:

1. On Wednesday at 4:00PM-5:15PM, I would be involved in a "Vendor Shoot-Out," where you can ask questions and see "us" :-) fight it out...

2. On Thursday, I am doing a "Lunch and Learn" on choosing your approach to log management: buying, building, outsourcing or combining the above strategies.

Just drop by!

Saturday, July 08, 2006

[Finally!] Hello, Cali-foh-nia!


As most of you know, I have finally moved to Sunnyvale, CA, as they say "in the very heard of the Silicon Valley"

(see the view from my window on the right)

So far, it's been pretty incredible - great company, great environment! I do miss the [swimmable] beached thought...

BTW, all those folks who were saying "hey, Anton, give us a call when you move to the Valley, so we can have lunch or something" :-), now is your time to come out of the woodwork...

Dr Anton Chuvakin