Tag Archives: conference

SCADA, control systems and security – not necessarily enemies

Posted on by
1

Insights from the NISA International SCADA Security Forum conference (NISA stands for National Information Security Authority, which is a division of the Israeli Security Agency).

We all know that SCADA has been considered a security nightmare for a long time. Admittedly, I only have a short experience with such systems and control systems in general (just short of two years), but the topic is fascinating. The main challenges in securing control systems from my point of view is the ability to “connect” with the domain experts and understand the systems and processes properly.
Unfortunately, we, as a security community are far from it (at least based on what I have seen in the past couple of days in the conference). The rush to force traditional IT solutions and ways of thinking onto control systems just do not work. From “learning” firewalls that monitor the industrial control protocols, to systems that are designed to ADD complexity to the threat modeling by layering network and Internet related threats to SIEM mechanisms and add the “scada” data to it. These are all solutions that are Bound to fail as they do not understand the actual needs and operational state of mind of control systems engineering.

If we take a new and unbiased look at what kind of data and processes are involved in such systems, we (as in the security community) would be thrilled to learn that there are a lot of untapped intelligence resources that would substantially help us in building a more appropriate and relevant detection and alerting mechanisms. Trying to force an IT solution on these would be an exercise in fitting a square peg into a round hole, and as exciting as that may be we all know what would be the outcome of it.

To sum things up – just as you would not pretend to know the environment of a financial or a commercial customer when approaching the task of securing it, control systems pose an ever more distinct challenge. Open up, keep the critical thinking and most of all LISTEN. You’ll find out that long before you can start pushing the “cyber” agenda, you have much to work with just with the basic data and processes already at hand, and that there is a lot of value that a security practitioner can bring to such an organization.

P.S. I’m specifically refraining from addressing any product or vendor as I do not think it’s fair to “out” them (however big or small they may be) as these have obviously been rushed to the market in an attempt to get an initial foothold in the industry. Nevertheless, I do encourage such vendors to do some more homework, and work WITH the industry rather than just try to capitalize on their existing expertise in IT and “cyber”.

The power of collaboration (BlueHat post)

Posted on by
Reply

Some additional BlueHat wrap-up -  a collaborative post with a dear colleague of mine Fyodor Yarochkin has just been posted on the BlueHat blog.

The interesting thing about this is that my interaction with Fyodor have been as follows:

  1. Email exchange prior to BlueHat, as we were speaking one after the other, and were referring to the same ecosystems but from different points of view.
  2. Meeting in Seattle/Redmond at BlueHat, having some conversations (and drinks, yes, some drinks were involved too) about work, research, and such.
  3. Speaking one after the other.
  4. Working together on a post through online sharing tools where we basically played with throwing ideas around, putting in writing what we thought about them, exchanging some ideas and directions, and coming up with the aforementioned post.

To sum this up quickly, we didn’t really know each other (not virtually either) a few weeks ago, and based on our mutual interests, research and passion we were able to come up with a (somewhat) cohesive post that at least I can stand back and say “damn!, that’s pretty good” (and learn something from).

Only in InfoSec!

Pentesters and businessman are doing it wrong

Posted on by
6

Following my last post on the realistic cost of a pen-test (which as I mentioned was derived from long conversations on the topic with a couple of friends from the industry), I’d like to review one of the best presentations I have seen lately – Chris Nickerson’s Brucon talk.

I’ve had the opportunity to see this talk shape up to be what it ended up like in the week or so that we have been hanging out together. And let me tell you – it was one hell of a week. There were some reactions to the talk (no wonder – Chris was on stage) and I’d like to put things in perspective (at least mine, if you want more go talk to Chris…).

The first point which is directly derived from the talk is that we, as an industry, have been doing the wrong thing for a long time. Pentesting has become a glorified minion work, and we just kept it behind for such a long time. What the talk tries to say is open your mind, and DO YOUR HOMEWORK. Chris calls it “do work”, but I’m saying that before we do work we need to do homework. Learn. Inspect. Absorb. See beyond the technical aspects of a pentest. Understand what is the environment in which the business operates, who are the key players, partners and customers. How does the business make money? What would hurt the business the most? Only then, we can approach the pentest with a clear goal in mind (and no – it’s not getting root/shell on a box).

The second point that I’d like this talk to provoke is that we are not the only ones at fault. It’s also the customers (yeah – I said that the customer is wrong. Sue me). They have been trained to ask for technicalities. Be it a pentest, a product or even a service. Most of the times they can’t really explain the methodology behind what they are asking for and the business relevance of it. Instead of asking for a pentest for a new web application, they should be asking for a security assessment of what makes their business “tick” which may be related to the web application. Small difference in wording, HUGE difference in scope and ROI from such an engagement. And yes, this all comes back to us as we have been offering “off the shelf” pentests that have no actual relevance to the business side, and have “technofied” our services and products to fit checkboxes of some obscure regulatory compliance. We need to retrain our customers (i.e. the industry) and get ourselves trained on the business aspects as well.

This topic is just one of many more that were conceived during the security-on-steroids-week which was Source Barcelona and Brucon. I’d rather post these side-effect ideas that were generated from discussions around the talks than the actual talk contents (you should be able to download these anyway in the near future from the conference websites anyway).

Updated speaking schedule!

Posted on by
2

As noted before, for some reason beyond my understanding I am going to be speaking at both SOURCE Barcelona and Brucon in September, as well as in Excaliburcon in China (you guys must really like this whole crime meets state thing huh?).

So, down to business, SOURCE Barcelona is going to be awesome – It’s going to be my first SOURCE I’m really looking forward to getting back together with some of my friends (Chris, Wim, Jayson… the old Wuxi pwnage team en-scale), and meet people I wanted to pick their brains in person (Brian Honan – especially because I’ll miss his talk…).

Next up is Brucon. I’ve said enough about Brucon in the last conference schedule update, nevertheless, it’s shaping up to beat it’s last years’ reputation. Expecting great talks, great crowd, and awesome beer! As far as talks I’m looking forward to – will definitely catch up with Joe which I missed at DefCon, Craig who’s Skylab is of a personal/professional interest to me, Dale with the HeadHacking talk, and Fabian’s GSM one. Obviously there are many more, but as I’ve learned over the years – don’t be greedy (especially not at conferences)…

Last but definitely not least, Excaliburcon is going to happen after all! This year the location is going to be just outside of Beijing. We will all miss Wuxi a lot, but I’m really looking forward to checking out more of China. It was a great experience last year and I’m setting up my hopes pretty high for December as the speaker list is getting pretty hot!

The common threat across these three conferences is that unlike the “big ones”, they all allow the attendants a very close interaction with the talks. This really enables more information sharing and knowledge transfer, and I’ve really learned a lot more from smaller conferences such as these than from the big ones that sport a dozen tracks at the same time (think RSA… you are not going there for the content anymore…).

If you happen to be at one of those, feel free to ping me (or even better – buy me a beer :-) )!

Cloud Security Alliance Conference (Israel) – CFP

Posted on by
Reply

Just wanted to let you all know (as a member of the CSA-IL board) that we will be having a conference on September 2nd who’s title is “Cloud Security Technology and Innovations” in Tel-Aviv, Israel.

We expect to have great participation from all areas of the industry, are working on a great venue to host the conference, and are opening up the Call for Papers.

Please see the CSA-IL WiKi for additional information on how to submit for the CFP:

http://wiki.csail.dreamhosters.com/wiki/CSA_conference#Call_for_papers

Looking forward to seeing you all there!