Tuesday, October 31, 2006
Basically , "there are 7 events associated with object access auditing in Windows." The blog post by Eric Fitzgerald sheds some light on on Windows object access event logs.
The most curious thing is the part where the complexity of the audit is explained. The quite is:
'You might ask, “Well, Eric, why don’t you just get rid of all that junk and just log an event that says what Word did?”.
Good question. As I mentioned in my post on “Trustworthiness in Audit Records” [which I will blog about soon :-) - AC], the only practical way to do that would be to instrument Word for audit, and then the audit trail would be exactly as reliable as the user using Word, because if Word can write to the audit trail, and Word is running in the user’s context, then the user can write to the audit trail.'
Did you get it?
Indeed, security industry needs such advice. The message is clear: next time, if you happen to come across (or create) a tool to fake boarding passes, don't post it online. Just use it!
First, a quick question: do you have 0wned boxes on your network? Puleeease don't say 'no' cause I'd know that you would be lying :-) Now that you accepted that fact that some boxes on your network are 0wned by intruders, do you want to detect it? Yeah? If so, you need intrusion detection. Notice I didn't say IDS or NIDS, I am just saying that it is pretty darn obvious that people need to detect intrusions somehow and thus they need something that does "intrusion detection."
Similarly, it'd be nice (but completely unrealistic ... ) that such intrusions would be prevented from occuring in the first place. If you want to try to attempt to take a crack at that :-), you'd wish you had intrusion prevention, which is obviously a good idea, in principle.
Thus, if somebody tell you that you "do not need to detect intrusions", he is quite likely an idiot.
However, what the above paragraphs has to do with lil black boxes called NIPSes and NIDSes? Absolutely nothing, it pains me to say so. And that is where the "offensive computing experts" (thanks for the offensive term, Richard! :-() are at least partially correct in stating that IDS does not really give you a much needed ability to detect intrusions. Further, as Richard put it, at best it gives you a "hint that something bad might be happening." Thus, you can go buy a STGYAHTSBMHH and not an IDS. And there is always a classic IDS use case called "a system that you can go to after shit hits the fan to see if any pieces stuck to it" (ASTYCGTASHTFTSIAPSTI, yuck...) :-)
Most of the other points made in the ensuing mayhem - errr, discussion - are actually derivaties from the above. Yes, a signature-based "IDS" can sometimes detect intrusion attempts made with old exploits. Yes, anomaly detection works ... when it does. Etc, etc. However, the main point remains the same: you need intrusion detection, you just can't buy it in the store.
Thursday, October 26, 2006
Next: CSI 33rd in Orlando, Nov 5-9, 2006.
BTW, my event schedule is also posted here.
"The perimeter is consolidating around secure accelerated access."
As most of you know, I've been picking on the "de-perimeterization" folks (such as Jericho Forum) for promoting the claim that "perimeter is disappearing." I've long argued that perimeter is not going away, it just tightens and moves closer to data. In other words, it changes, but doesn't vanish. And, the above line is one of the best darn summaries of how it changes.
So, if you are in perimeter security, you should be involved in "secure, accelerated access," which, BTW, applies to both outbound access to the web and inbound access to public or extranet sites...
"a) Log format (syntax)
b) Event transport
c) Event classification (also called taxonomy, categorization, grammar)
d) Logging recommendations (what events specific devices should report AND what fields they should contain as a minimum [which some peple call 'scope of what to log']"
And, there are a few promising efforts underway to address that... fun stuff indeed.
Wednesday, October 25, 2006
Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it ... What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from "stale" attacks; however, it is NOT the same as to say that there are few 0days out there.
I am stunned when folks make those claims. BTW, check out this list that Pete Lindstrom maintains on public exposures of 0day attacks. But how many were used and are not on his (or anybody's) list? Ominous silence is the answer :-)
Here comes another one! Virtualization has long fascinated me, both as a new technology, a security challenge and just an overall fun thing...
So this blurb from NetApp team has a few other interesting things. "Going forward, VMware offers even more interesting visions: rapid provisioning of new applications, transparent migration, virtual data centers that provide DR protection for multiple physical data centers. But that's not what I see people excited about today. Today's excitement comes entirely from how much you save when you reduce servers by a factor of 5 or 10 or even 20."
To conclude, I am sooo envious about this team of friends that I have that have been busy for a few years (!) spending DHS money trying to find a true "break-out" from VMware... Are they close to the Holy Grail? They might be, but they are not talking :-)
So, NW "Top 10 security companies to watch" has companies in email security, malware protection (no kidding!), data encryption, authentication, mobile device security, intrusion (Mmmmm, exploit) prevention, etc.
So far, I can't quite get my hands around the list and create some meta-knowledge based on it (i.e. say something smart) :-) Make your own conclusions ...
"In security if you think:
- You’ve invented a new, unbreakable encryption algorythm
- You just created a new, unbreakable defense against 0day attacks
- You perfected any single tool, at any layer, that can stop any attack, of any kind
- You built something to eliminate the insider threat
- You can take a couple classes and defend a large enterprise
- You have designed unbreakable DRM
Amen to that! :-)
As I mentioned before, this is likely not entirely true. Yes, the current landscape will change and many vendors will fail or get acquired, but I suspect enough of the new ones will be created as new threats as well as other IT and risk needs arise. Read this old piece where I explain why I think that it will be the case.
So, let's try this for size, folks :-)
a. I borrowed your car when you were away (by picking the lock) and then returned undamaged. I also put the gas in. No car theft here, right?
b. I came to a store and took a TV without paying for it. I just watched a show and returned it. No crime, right?
I did think that the trend is to sync the online world with the offline, but it appears that this ruling goes in the opposite direction...
Specifically, "Program x is more secure than program y" sounds pretty silly. Admittedly, the environment and the user/implementer have a more dramatic effect on the overal security than the secure code quality (if that is Pete's spin, that I'd buy it), but surely OpenSSH has more secure (due to more security audits and code review) than say, MS IIS 2.0 code base...
Also, "You can't get ROI from security," come on? When was the last time your firewall paid you some cash? :-) Can you tell me which brand is that so I can get of'em...
So, here is the list, stolen from Pete's blog:
- "Security through obscurity is a bad idea.
- Strong passwords are strong.
- Altruistic bugfinding is beneficial.
- You can't quantify risk.
- You can't get ROI from security.
- Security is about process, not product.
- SSNs are secret.
- Program x is more secure than program y.
- Stand up to your boss and "just say no."
- Security is failing."
Indeed, I can second that "(bad) security analogies are a pet peeve of mine" too. I made fun of them repeatedly on my blog.
And here is a really cool way to short-circuit this, proposed by the Risk Mgt blog:
"Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for."
This is soooo cool indeed!
This post reveals some of the thinking that goes on in there.
I would like to draw your attention to this conundrum: people like the idea of "self-defending data", but hate DRM. A new cool security company idea? I hope my VC friends are reading this :-) I am thinking of writing a short paper on that very subject ...
'What is North Korea’s Core Purpose: To keep the current regime in power.
How might its Marketing Department make this happen?
Let's start with a unique value proposition (UVP). What differentiates North Korea from its competitors (Iran, the Taliban, Hezbollah, etc.), each vying for its spot in the world marketplace and doing everything possible to maintain power?
Without products, services, money to invest or a charming personality, if I were offering advice I would recommend fear. North Korea is a scary place and not much else. So, our UVP for North Korea is:
"We guarantee that our promise to change the world is unlike any other. Buy now or pay us later."'
But do read on.
Friday, October 20, 2006
And, as I said before, I personally think that there is nothing wrong with that... but then again, I don't run an ISP for a living :-)
Thursday, October 19, 2006
So, everybody is talking about Bruce Schneier's HITB talk where he unveiled his "Top 10 Security Trends," but you know what? It is truly underwhelming! Mr Crypto fell into the pit of "re-rambling" on the obvious. Examples are:
"Information is more valuable than ever." Duh.
"Networks are critical infrastructure." Double-duh.
"Complexity is your enemy. " Yeah, and...?
"Regulations will drive security audits. " Triple-duh.
Come on! All those points are deeply obvious to anybody watching the security industry. So, here is the challenge to make it more fun: name ONE item from the list which is not only not painfully obvious, but also likely wrong...
And the winner is: "Worms are more sophisticated than ever." Many observers point to a decline of a good ole worm, not to its "increasing sophistication."
Finally, here is a simple but scientific test :-) to check whether you are stating the obvious and thus wasting peoples' time and unnecessarily increasing entropy in the Universe, thus possibly bringing its decline closer :-). Formulate the opposite statement and check whether it sounds truly idiotic. No? You are safe from "stating the obvious disease." Yes? Sorry, try next time :-)
"Information [today] is LESS valuable than ever." Yep, dumb indeed.
The rest is left as an exercise for the reader...
Yeah... I know I am late with this, but it is still fun... Knowing that I am following the security market developments religiously, a friend just asked me "what's hot in security now?" He was looking to escape a certain dying SIM vendor (you can easily guess which vendor it was, BTW...) So I thought "Ok, what IS hot now?"
Well, NAC is hot for sure. It is steaming hot, and I suspect will start to cool down a bit next year. But NAC is not "novel-hot" since folks have been talking about it for at least 2 years. It is "deploy-it-hot!." NAC leads to all things "endpoint security" as well.
Believe it or not, but I think that log management is hot. Is that my head or my vendor hat speaking? ;-) The main reason I think it is hot is that people are being forced to log more, but, in general, lack tools to deal with the results. Whoever can creatively solve it (hint-hint) will rule the world (well, maybe :-))
So, NAC, yeah...Core Impact is certainly cool, but is it hot? I dunno; it is still a bit of an esoteric niche tool, even if useful and cool. Further, I would opine that secure code scanning tools are NOT hot. Many people still ignore them and pretend they don't exist :-) And please someone explain how is "virtual patch" not a regular NIPS? Didn't ISS call their NIPS "virtual patching" a good number of years ago...? Identity-based encryption is way cool, no doubt. But I'd wait for broader deployment of such technologies before I consider it hot. After all, even Gartner has a list of "cool" vendors, which is often different from the list of hot technologies climbing the famous hype curve....
Here is what Matasano folks consider hot.
Static Code Analysis
Identity Based Encryption
Assessment Accelerator [for Dynamic Code Assessment]
802.11x VLAN Assignment
Black Box Vulnerability Testing
On a related note, "What is hot?" question invokes the related "what is NOT?" question. Now I realize that by providing such list you can offend people. So? I don't think that a smart person should be offended by such label, since the primary reason why something becomes "not hot" is by entering the mainstream, where you can potentially earn more money (and have fun in the process as well). In light of this, I think that standalone anti-spyware has recently entered the "NOT list;" NIDS is certainly a major "NOT" even though I still think that inventing a "better NIDS" is not futile (and of course that intrusion detection is important!) So I will start tracking the "NOT list" from now on.
Wednesday, October 18, 2006
Some fun examples are:
#3 Marginal Niche – choosing an obscure niche to avoid competition might be fatal
#6 Hiring Bad Programmers - most of the e-commerce business in the 90s died because of bad programmers
#10 Having No Specific User in Mind – sometimes startups assume that somewhere there must be someone interested in their product. Somewhere…
#18 A Half-Hearted Effort – the lack of commitment towards the startup is not that rare ...
Tuesday, October 17, 2006
"1. Operational Excellence aka Cost Leadership
Provide middle-of-the-market products at the best price and the least hassle.
2. Product Leadership
Provide the best product, period. Continue to innovate year after year.
3. Customer Intimacy
Provide unique solutions to customers by virtue of intimate knowledge of their needs. "
So, which one is your company doing? :-)
Monday, October 16, 2006
Monday, October 02, 2006
Here is a quote: '... President-elect Pustule said he "has always been kind of interested in politics because of my job", a service technician and junior programmer at Diebold, Inc., the primary manufacturer of electronic voting machines in the United States. Tamper-proof Diebold electronic voting machines have figured prominently in recent U.S. elections, particularly those elections in which outsider candidates sharing a political affiliation with Diebold executives have won by bafflingly wide margins.'
'The fact that the totals exceed 100% has been attributed by a Diebold spokesman to "a special kind of rounding".'