Monday, April 30, 2007
Here is a useful bit of insight that emerged from this discussion: if you think of such products as ACCIDENTAL leak prevention defenses, you will likely get over the intense desire to claim that "they are all hopelessly broken by design." This idea was inspired by this post , which said: "There is no doubt that these systems are evadable [...] Inadvertent data leakage is a different story [and can be managed effectively]."
Indeed, insider data theft is a MUCH more complicated problem than packet sniffing can ever be, but - you know what? - much more data "leaves the house" due to incompetence than malice, so these products are actually useful ... At this same time, if you think "buy a box - stop a dedicated insider from stealing your valuable data," you definitely need your head examined by a certified veterinarian :-)
Friday, April 27, 2007
Can't agree more! A few months ago, I posted this controversial blurb about access vs access+ audit where I suggested that all access to anything should be if not audited then potentially "auditable." And now it seems like a US Congress-level issue, thanks to esteemed Dr Geer :-)
UPDATE: want to get the goodies I mentioned in the paper? Email me!
Monday, April 23, 2007
Wednesday, April 18, 2007
Just to top this discussion off, here is a quote from the VirusTotal guys themselves (this): "Generally speaking, even though it may seem obvious, we must state that all anti-malware products have detection problems due to the tremendous proliferation and diversification of malware nowadays." Amen to that!
After long months of undercover work, CEE is ready to be presented to the world. Keep in mind, you read it here first!
Below is an excerpt from a brochure, to be published at MITRE's site any day now. I do think that the world is ready for another battle for the establishment of a logging standard, after a long string of miserable failures.
"Common Event Expression (CEE™): A standard log language for event interoperability in electronic systems.
CEE standardizes the way computer events are described, logged, and exchanged. By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks. Tasks including log correlation and aggregation, enterprise-wide log management, auditing, and incident handling which once required expensive, specialized analysts or equipment can now be performed more efficiently and produce better results.
If multiple systems observe the same occurrence, it should be expected that their description of that event is identical. When combined with relevant event details (time, source, destination), a computer should be able to immediately determine whether two or more logs, data logs, audit logs, alerts, alarms, or audit trails refer to the same event. In order to make this happen, there needs to be a scalable, well-defined way to express events."
I will post more stuff as well as the link to the brochure, when it is available. Next: four areas of log standardization, recommended by CEE. Stand by!
Tuesday, April 17, 2007
Wednesday, April 11, 2007
This fun blog post contrasts such security requirements with compliance requirements (specifically, PCI DSS). It turns out that "there is a direct correlation between platform and application diversity and the cost and effort associated with achieving and maintaining compliance with the PCI Data Security Standard [as well as other regulations]. "
So, it boils down to who is scarier: a worm or an auditor? :-) A tough one indeed!
Tuesday, April 10, 2007
Sunday, April 08, 2007
So, when I posted this blurb on anti-virus missing malware, I didn't mean to whip people into a frenzy. I really didn't - I just wanted to express my genuine shock about how poorly the tools, built for blasting away the threats of the 90s, fare against the threats of 00's. In fact, I myself naively thought that a typical AV tool will catch 60-80% of serious in-the-wild malware today. Some of my readers were surprised by the numbers and some were not, stating that it matches their experience as well. Many probably choose to stick to "my anti-virus is fine, go away!" illusion.
It is also bizarre how some people chose to interpret my blog post as biased: "i saw where this was going early on (the original question was obviously loaded)." I would like to assure them that while I did state my initial question in a somewhat emotional manner, this was not due to any inherent bias I might have had, but due to my deep surprise. I myself hate people saying things like "today was a hot day -> obviously global warming is here" :-), but in this case what matters is not "statistical significance", "sample selection bias" or "test-bed integrity", but the fact that if you deploy anti-virus on your systems and run it according to the "directions on the label", your system will soon "change hands" :-) This doesn't point to any global emerging trend, but just to a fact, observed by the author of the study (which, BTW, I just read, not conducted myself...)
I later learned that a major analyst firm, that will remain nameless for now, proclaimed in their recent piece: "By 2009, anti-virus as we know it will be dead, succeeded by a new generation of protection technologies, and many of today's anti-virus vendors will be extinct."
Some folks have asked me a sensible question: what is the alternative? At this point in time, the alternative for most people is fairly unpleasant: you are going to get 0wned :-) Go update your incident response (IR) plans and sharpen your IR skills. Learn to detect 0wned systems.
Over the long term, I am willing to bet on some fancy "whitelisting" approach (e.g. this) or novel heuristics (e.g. here) or something else (e.g. here), which is still being forged in secret underground labs of some nameless security start-up :-)
Overall, it seems that "classic" (e.g. "blacklisting") anti-virus technology does indeed work as stated by its purveyors. It is just that modern malware no longer does ...
" It really is amazing how many [security] companies persist in basically a state of permanent hibernation." Having lived thru this, I can totally relate ...
Indeed, being the last to jump off the "Titanic" is noble (and might save your life, after all), but then again it might make you a mincemeat if you get sucked under the propellers :-(
Have you, a security professional, ever willingly circumvented a security measure?
|Surfed to a blocked site, bypassing a content filter (22%) |
|Violated whatever physical security measure (18%) |
|Used a web-based email against the policy (16%) |
|Sent a document to home address against the policy (16%) |
|Used IM or IRC against the policy (14%) |
|Other - please comment on the blog (7%) |
|I NEVER did anything of that sort (3%)|
So, what is here to conclude? Security people are people too. And, I said in the past, security issues are here not because of bad TCP/IP stack or buggy Windows, they are here because people are, well, people.
Think about it (but not for too long - your head might spin ... :-)): if you need to do you job (i.e. security) and a security measure (which you might or might not think of as "stupid" beforehand) stands between you and you doing your job, would you break it? I suspect that my little unscientific survey answers it: "hell yeah!" :-)
Now, can you now blame your users for doing the same? I dunno :-)
Wednesday, April 04, 2007
I haven't finished reading it yet, but a mystical force :-) compels me to write a pre-review. Here it is: Andrew Jaquith's "Security Metrics" book rulez!
Apart from awesome content (more on this later, of course) and uber-superb :-) style, the book just flows. To top it off, I have tremendous respect for people who can say the words "pachyderm picnic" and not smile :-) I have a sense that I am invited to it ...
I also think that the remnants of the "Evil ROSI Empire" (e.g this) as well as "Heresiarchs of Risk Management" will be finally put to painful and well-deserved death by this book ...
However, look at this recent PR piece from Sourcefire which introduces daemonlogger - a tool to efficiently capture packets (kind of tcpdump on steroids) - the piece does mention "logs" and "logging" (and even log management) way too many times.
What's up with that? Is logging cool again? :-) Or is somebody at Sourcefire thinking about logs? They do need to diversify, ya know...
Monday, April 02, 2007
I've been wanting to create those for a loooooong time and finally - here they are (you can guess I've been on a long flight :-)). Some are admittedly tongue-in-cheek, but useful nonetheless. So, enjoy Anton's "Top 11 Reasons to Collect and Preserve Computer Logs", presented in no particular order:
- Before anything else, do you deal with credit cards? Patient info? Are you a government org under FISMA? A financial org? You have to keep'em - stop reading further.
- What if there is a law or a regulation that requires you to retain logs - and you don't know about it yet? Does the world "compliance" ring a bell?
- An auditor comes and asks for logs. Do you want to respond "Eh, what do you mean?"?
- A system starts crashing and keeps doing so. Where is the answer? Oops, it was in the logs - you just didn't retain them ...
- Somebody posts a piece of your future quarterly report online. Did John Smith did it? How? If not him, who did? Let's see who touched this document, got logs?
- A malware is rampant on your network. Where it came from? Who spreads it? Just check the logs - but only if you have them saved.
- Your boss comes and says 'I emailed you this and you ignored it!!' - 'No, you didn't!!!' Who is right? Only email logs can tell!
- Network is slow; somebody is hogging the bandwidth. Let's catch the bastard! Is your firewall logging? Keep the info at least until you can investigate.
- Somebody added a table to your database. Maybe he did something else too - no change control forms were filed. Got database log management? How else would you know?
- Disk space is cheap; tape is cheaper still. Save a log! Got SAN or NAS? Save a few of them!
- If you plan to throw away a log record, think - are you 100% sure you won't need it, ever? Exactly! :-) Keep it.
Have more? Feel free to suggest your own reasons below!
Coming soon: "Top 11 Reasons to Look at Your Logs"
Sunday, April 01, 2007
Remember my blog post about testing the captured malware binaries via VirusTotal? What I asked there was this:
"So, let's suppose somebody who is involved with incident response at a typical US public University has collected a few recent malware samples from the compromised machines and then submitted all the samples to VirusTotal for scanning with pretty much ALL current anti-virus and anti-virus-like products.
What do you think the average detection rate (i.e. a malware sample was identified as "something bad") was?"
I wanted to hold off for a bit more but something happened.
First, let me give you the answer: it is 33%. In other words, an average detection rate of malware from these "solutions" was 33% with maximum at 50% and minimum at 2% (!). Keep this number in mind, that shiny anti-virus product you just bought might be protecting you from just 2% of currently active and common malware (not some esoteric and custom uber-haxor stuff)!
So, I have to conclude what many security "punditoids" were blabbing about for years: "mainstream" anti-virus is finally DEAD. Running it can be considered a weak excuse for defense-in-depth, but in about the same sense as wearing an extra shirt provides "another security layer" in a gun fight...
Second, what prompted my post at this time was that I had an ugly and very personal encounter with one of such owned boxes. Here is my account of the story, with some details changed to protect the innocent, who was smart enough to call me for help.
What we have here is a fully patched Windows XP SP2 system (with automatic updates set to daily)
a) freshly updated and functioning Symantec Anti-Virus Corporate Edition version 10.X, configured with all protections, including spyware/adware
b) freshly updated Windows Defender version 1.X (set for daily updates and scans), also configured with all protections, and
c) ZoneAlarm free edition version 6.X with a well-tuned outbound rules and, obviously, nothing allowed inbound.
The system was also hardened by removing a lot of the Microsoft protocols such as NetBIOS (just in case), killing many of the running services and configuring Internet Explorer (which was, I suspect, the weakest link still) to limit most of the "risky" stuff such as ActiveX, etc.
One sad day the user of the above system noticed a series of outbound connection attempts reported by ZoneAlarm. Being somewhat paranoid, the user tried to click "Deny" on a ZoneAlarm pop-up, but this button was grayed out (uh-oh...). The next thing this IT-savvy user did was to Google the name of the executable that tried to connect ("uvcx.exe") and discovered this (another uh-oh!), at which point he wanked the eth cable right out of the box - whack! :-) - and then shut down the system.
When I arrived to the incident site, the system was still turned off so I booted it to investigate ...
To be continued.