Thursday, November 30, 2006

Somehow, This Caught My Attention :-)

A very fun read: "A Hard Lesson in Privacy" that somehow caught my interest. I wonder why... need to psychoanalyze ;-) It all starts from "My brother-in-law just bought a used Intel 20" iMac. The seller was a nice looking blonde, who didn't wipe the disk."

Old (But Still Fun) Presentation on Honeynets and Honeypots

Another classic :-) presentation uploaded (in addition to this one on Unix rootkit analysis): my old (circa 2002) presentation about my experience planning, building and running honeypots and honeynets.

On Oracle 0days

I just love this quote from a DailyDave post:  'releasing Oracle 0day is like "picking on a retarded kid with no legs and arms"'

It also reminds me of this; the day of reckoning is near :-)

And What if the Logs WEREN'T There?

So, Andy plays off my bit on ignoring logs and relates a story where logs proved crucial. Great! However, what is the pink elephant in the room and where is the fat bastard hiding? :-)

[dramatic pause] :-)

Well, Andy discovered the mischief by looking at the logs, but what if the logs weren't there (happily rotated away or erased by the attacker)? Doesn't it just fill you with dread and make you run, not walk to all your systems and cranking the logging up, way up? And then, of course, buying some log management to handle the resulting volume ... :-)

Wednesday, November 29, 2006

A Passing Comment on ROI of Security

So, a colleague sent me this link ("3 Metrics To Gauge Security Spending") and I was meaning to think and blog about it (yes, in that order :-)). But then Mike Rothman opined that this guy is a dumbass in his blurb "3 ways not to gauge security spending". So, what's the story?

First, bear with me since I am still trying to build a coherent picture of security ROI for myself from all the diverse sources of info, some as smart as Pete Lindstrom :-) In general, I am leaning towards "there is no ROI for security; there are only cost savings" (which, as my in-house Ph.D. economist stated, are neither the same nor equivalent)

So, let's see, what is this guy suggesting: "If security spending exceeds 10%, your business architecture is probably poorly designed to cope with attackers." Huh? What's up with the magic number? So, 9.5% certifies you as OK? Sounds like an application of "all hard problems of the Universe have easy, clear and simple INCORRECT solutions" :-)

Further, "If the cost of your security investment is 200% or more of the value of employee downtime, you may be spending too much on security." Same problem - see above, bro.

Going down, "If you are experiencing a loss of 1% or more in productivity, review how you are protecting your information." No comment, really. Wait, one, actually: bullshit.

And, on top of the above, I just hate it when people proclaim something truly obvious as if it were some kind of news, so this guy definitely commits this crime: "The goal of total security is not achievable in complex systems that have millions of hardware and software vulnerability points." Wow, that's deep, good thinking here... NOT! :-)

So, I am with Mike on this one and he said it best: "These "metrics' will do nothing but waste your time, except maybe the gauging the cost of downtime one. I can only hope your CIO didn't read this drivel, because then you'll start to see this crap on your 2007 MBO's."

Security in the Age of Web 3.0

Just think about - how would information security look in this world

Are YOU Ignoring Logs?

So, as I said, DarkReading published this fun list of commonly overlooked aspects of security and one of them is - surprise, surprise! - related to logging. The specific item is "Analyzing trends in security log files," but it applies in general to ignoring logs, at significant peril to your organization.

As usual the log volume is called out as the primary reason for behaving stupidly ("
In fact, most IT and security pros have so much log data that they typically only skim it, or ignore it altogether.") BTW, I am preparing a longer post to illustrate just how much data that can be...

At the same time, it is certainly nice that
DarkReading chose to quote the experts in their piece :-) Even though their obsession with NBAD (in this context) is puzzling... They also seem genuinely confused about the relationship between SIEM/SIM, NBAD and log management.

On Most Overlooked Aspects of Security

As my loyal readers know, I sometimes have an unfortunate tendency to enjoy reading and writing about mistakes. Well, if no mistakes are in sight :-) an "overlooked aspect" will have to do :-) So, here is a list from DarkReading:Enjoy! And, of course, the #6 (Analyzing trends in security log files) deserves a separate post (stand by for it :-))

Tuesday, November 28, 2006

Old (But Still Fun) Presentation: Illogic Rootkit Analysis

I started uploading some of my olde :-) presentations on Slideshare, enjoy the first one: on Unix rootkits and Illogic Kit Analysis (from 2002)

Revisiting 80% Mystery

So, everybody heard that "80% of something bad is due to insiders;" moreover, many just hate this mystery statistic. Here are a few common and different versions:

1. "80% of security attacks are due to insiders."
2. "80% of security loss is due to insiders."
3. "80% of statistics are made up." :-)

Should we completely scrap this 80% beasty or is there any truth in it, after all? Recently I've seen a discussion on one mailing list where some pretty darn smart folks swore that they can personally attest that one or the other version of the above is "absolutely true."

So, any defenders/attackers of the above?

Monday, November 27, 2006

On "What Will Future Anthropologists Deduce from Firewall Logs?"

Now, apparently on a semi-humorous note, Dave Piscitello writes this fun blog post "What Will Future Anthropologists Deduce from Firewall Logs?"

Here is how it starts: "Imagine that several centuries hence, anthropologists uncover a hoard of archived tapes containing terabytes of firewall log files recording events from the last decade of the 20th century and into our present day (2006). Now imagine that they discover how to read the media and open the log files."

Read on for laughs, but not only for those. There is enough sad truth in the conclusion ...

So, You Think That Security Is ...

.. about
a) fighting nefarious hackers
OR
b) protecting information

Now, if you ask as many of our colleagues about this, do you think you'd have more of "a)"-people or "b)"-people? Any bets on the percentages?

Just a random thought of the day...

Friday, November 17, 2006

Humor ... or NOT?

Quotes says all: "an anonymous security professional trying to block field employees from bringing a virus into the office by delivering to all their machines a copy of the virus named as “I_AM_THE_VIRUS-DO_NOT_RUN_ME.doc”. What happened?"

So, is humanity incurable? :-)

On Technology Advances ...


I love both quote and the concept : "Feel like you've lived a wee bit too long? Looking for a spectacular way out -- one that'll keep your family crying in disgust for years on end?"

Yeah??!! Try this new means of transportation: a personal helicopter.










Image borrowed from: http://www.defensetech.org/archives/002980.html

SANS Top20 Controversy

Hmm, I didn't realize that SANS Top20 project has gathered so much controversy lately. So, it all started from these two posts (1 and 2) and the main flash point is this:

"As far as the nature of the [SANS Top20] list goes, it's important to realize that it's based on a bunch of people's opinions."

For whatever reason, some people took offense in this (e.g. here), but why? As a SANS Top20 contributor since 2003, I can tell you that the list is certainly based on opinions and I am happy that my expert opinion was counted among others.

But guess what? When you go to a doctor, what he tells you is his expert opinion, not necessarily raw facts. He used facts, hopefully, to form an opinion. In case of SANS, the list was even called "The Experts’ Consensus", which unambiguously implies expert opinions.

Now, there is another, more serious concern being raised: that the list is not as actionable now as it was a few years ago when it contained individual vulns and CVEs. Well, this one is not true: every item still has sections called "How to Determine If You Are at Risk" and "How to Protect." So, you read the first one and act; then, if exposed, read the second one and act. Done!

On Security Mistakes

I love talking about mistakes :-) In fact, I wrote a few fun papers summarizing common mistakes in intrusion detection, incident response and log analysis. But Richard Bejtlich did a one up, summarizing "Common Security Mistakes."

Those are (quoted from his blog post):
  1. "Failure to maintain a complete physical asset inventory
  2. Failure to maintain a complete logical connectivity and data flow diagram
  3. Failure to maintain a complete digital asset/intellectual property inventory
  4. Failure to maintain digital situational awareness
  5. Failure to prepare for incidents"
What I like about them is that most revolve around not knowing what you got ... Indeed, before you mire yourself in prevention-detection-response, you need to think for a few seconds :-) about what are you trying to protect....

On Obvious X

Now, we know that there are some dumb people out there. Thus, there would be some dumb people doing market research in security. Today the enlightened Mike Rothman attacks one batch of such people, who, after apparently months of research came up with this amazing deep (NOT!) insight: "Blocking viruses is the number-one reason companies purchase new network security products and services." Wow, that is sooo new, circa 1987. In fact, I am willing to be that compliance beat malware as a security motivator some time last year, at least as far as large orgs are concerned.

To add insult to injury, the Infonetics opus contains a few other humorous bits: 50% of companies have deployed NAC, while the other 50% haven't cause they don't know what NAC is. Seriously!

Thursday, November 16, 2006

Conclusions on my Security Conference Poll

Here are the results of my security conference poll, as of today (11/16/2006).

Which information security conference do you like the most?

FIRST (46%)

DEFCON (12%)

BlackHat (10%)

SANS (all) (7%)

Other (7%)

CanSecWest (5%)

RSA (4%)

Gartner IT Security Summit (1%)

ISACA (0%)

Security Decisions (ISD) (0%)

CSI (all) (0%)

MISTI (all) (0%)

ISSA (0%)

TechnoSecurity (0%)
226 total votes

What are the conclusions:

1. The link to a poll was posted on a FIRST web site. I will let the reader decide the causality here :-)
2. DEFCON/Blackhat still rock!
3. SANS is great as well, presenting a close adjusted (see item 1. above) second after DEFCON/Blackhat
4. Some shows where we usually notice an abundance of fake experts presenting their rants are rated low, as they should be
5. Some Gartner folks blessed the poll with their votes :-) (Hi, Rich!)
6. Looks like I totally failed to spell out some of the popular shows, since Other category is so big (please, please, dear readers, post comments and enlighten me on this)

Obviously, the results reflect the bias of my readership selection, but, at the same time, they are not entirely unexpected...

Dr Anton Chuvakin