Tag Archives: Information security

Security Awareness and Security Context – Aitel and Krypt3ia are both wrong?

Posted on by
6

It was pretty obvious that after an Information Security persona such as Dave Aitel has posted his “Why you shouldn’t train employees for security awareness” article, there would be a lot of flak from the industry. A lot has been said about training employees to be somewhat more savvy users when dealing with corporate equipment and data (i.e. “stop clicking shit”). And even one of my favorite and outspoken Information Security personal had a great rebuttal on the matter – Krypt3ia’s “Throwing out the baby with the bathwater: Dave Aitel’s approach to INFOSEC“.

While I really appreciate both opinions, and while Dave’s might have been a little self-serving (aren’t all of our statements online?), I find myself in a very “Zen” place – saying, yes – you are both right, and wrong at the same time.

Krypt3ia points out that dismissing the human factor is going to lead to failures beyond what we can imagine as an industry. The reason here lies back in the fact that when we approach “Information Security” we focus too much on the “Information” part, and less on the more holistic meaning of the “Security” part. Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed. And that’s a personal promise from someone who’s been abusing the lack of layering and dismissal of such human factor for quite some time now running red-team engagements with high-profile, high-security clients (see – I can be self-serving too!).

On the other hand, Dave is also right – you can’t just throw everything on the employee and expect them to magically turn into “APT detectors” just because they clicked through some CBT program for a few minutes (or hours for that matter). You have to get the basics first, and Dave’s list is just as good as anyone else’s:

  • Audit periphery
  • Perimeter defense and monitoring
  • Isolate & protect critical data
  • Network segmentation
  • Access creep
  • Incident response
  • Strong security leadership

In no particular order, one should establish a consistent and solid implementation of all of these aspects for their organization.

Having said that, saying that employee awareness should be out of this list is where Dave went a little too far. Strong security leadership, access creep, and data protection are not technical feats by themselves. These are exactly the areas where employee awareness turns what could be useless (but very expensive) pieces of software or appliances to something that would actually work under an attack on your information assets. The point is not to _divert_ the spending on awareness, but to _combine_ them into your security strategy.

Which brings me back to my first (and only) point – stop thinking of information security as an industry of blinkenlights and snazzy software solutions. It’s about hacking, and hacking as we all know never stops at gadgets and code. Think of information security like an ATTACKER. Think about _their_ scope, and realize how your organization looks from that perspective. Now, take your budget and spend it on the areas where attackers could have compromised your informational integrity (HEY! Don’t touch that Nessus scan result! I told you to THINK goddamnit!).

And with that, I’ll leave you to your wonderful weekend before Vegas (one last self-serving statement – go check out “Sexy Defense” if you are really interested in an effective defensive strategy that goes beyond blogging and writing articles :-) ).

Happy hacking!

 

Sexy Defense

Posted on by
1

So, Source Boston proved to be a great venue for the inauguration of the Sexy Defense paper and talk that I was working on recently. Had a great time both developing the concepts, as well as discussing them before, on stage, and especially after the talk.

I really was amazed by the great feedback that people had to this, especially from some of my more respected peers. It’s always a great feeling to get an “attaboy” from people you consider experts in their fields.

For convenience, here is the slide-deck I used during the talk. Would love to get more feedback and ideas for pushing this forward into more organizations, and to hear about ways to improve both on the strategy itself, as well as on how to “sell” it, or get organizational “buy-in” internally.

Last but not least – this could not have been done without the support and the peer-review from some of my friends and colleagues: Chris Nickerson, Brian Honan, Chris John Riley, Wim Remes, and Leon van der Eijk. Thanks for going through this and providing excellent commentary and insights!

 

Sexy defense

Update: Dark Reading have posted a great article by Robert Lemos covering the topic, with a really insightful analysis and additional views.

Cyber, Cyber, Cyber. What are we talking about anyway?

Posted on by
18

A long draught (almost a month) in this blog is finally coming to an end after I had some great conversations with good friends at the cyber un-conference here in Israel. One of the obvious discussions is around the use of the term cyber (surprise). The general agreement is that the term has been violated pretty badly by security consulting firms and vendors trying to jump on the “cyber” bandwagon without a slim clue of what they are talking about (another shocker!).

But seriously now, we are all to blame for using the term once in a while (yours truly not excluded), while we all refer to different things. So, let’s try to get some order in the media hype and understand (at least the way I see it) what is this cyber we are talking about.

Disclaimer: this is what I believe that Cyber actually refers to. Your mileage may vary…

For me, cyber starts from way up. Beyond technology and Internet, and even beyond warfare and conflict. Cyber is first and foremost a domain. Much like air, land, sea, and space. A domain is (from the Merriam-Webster dictionary):

1. a. complete and absolute ownership of land
b. land so owned
2. a territory over which dominion is exercised

As such, domains that are not under the direct ownership, are treated by sovereign countries as first and foremost economical factors that affect their well-being. Most importantly, shared, or international domains are crucial to enabling international trade, communication, travel and freedom (especially air, sea and space). Such domains are referred to as “global commons“.

Now think of the Internet and the underlying parts that make it work. Computers, network equipment, cabling, satellite communications and other elements that are owned by a variety of private companies, governments, and are under different jurisdictions around the world. Because it is so hard to pinpoint the ownership of a specific part of the Internet, it is much simpler to treat it as a general domain, and as such, a global common. This is exactly how most modern countries act, and how it, much like the other global commons, became an element of conflicts when such countries escalate diplomatic efforts into actions. A good example of how this works can be seen in the work that NATO are putting to address this exact question. Note how a lot of the efforts are placed first on the legal and cooperative elements before addressing the battlefield (NATO and Cyber Defense – PDF) .

So we went from an economical domain that supports communications, trade and information, to an element which countries may use as part of their available conflict management against other countries. Enter: cyberwar. What most abuses of the term these days do not take into account, that cyberwar, much like airwar, seawar, spacewar and landwar is almost never a singular element in a conflict. It is part of a larger strategy and a mean of affecting diplomatic efforts to achieve some goal at a national or international level. Hence, cyber-weapons are never products or pieces of software, but more generally tactics that are deployed in order to gain an advantage in the cyber common in conjunction with other tactics and strategies used in other domains.

I’m sorry that this isn’t the “sexy” cool thing that some consultant that used to do vulnerability assessments is trying to pitch to you, or some product that a vendor is trying to sell you in preparation to the imminent cyberwar that will erupt any minute now and eject all the CD trays of the PCs in your organization. It’s more in the lines of a broader understanding of what elements that would be used in the cyber common would affect us as individuals, organizations, cultures and countries that we should be concerned about. It’s more about how countries are developing capabilities that would be used to gain an advantage over their adversaries in diplomatic conflicts. Whether on an ongoing basis – much like “normal” spying and intelligence gathering is done in times of peace, or in times when more active measures are taken.

The bottom line is that the “Cyber” term is first handled at the higher levels which may have nothing to do with some virus or worm hitting a nuclear plant, and only then translated to the tactics used to protect or attack assets which have some manifestation in that domain.

Now we can all get back to abusing the term. At least we knowhow we are going to abuse it :-) .

Additional reading:
http://www.worldpoliticsreview.com/articles/6838/resetting-article-5-toward-a-new-understanding-of-natos-security-guarantees
http://security.cbronline.com/news/cyberspace-is-operational-domain-like-air-land-and-sea-us-150711

 

Introducing SexyDefence

Posted on by
1

After a long time of no updates, I’m finally back to a “normal” schedule, but as always – there’s some new project that emerges from just being around extremely smart people and accessibility of alcohol…

So, during an exciting tweeting session at the SecurityZone green room (which is never green BTW), where all of us geeks were relaxing and instead of actually talking to each other (again – we are all in the same room), we were exchanging gestures and an occasional snicker as we “discussed” things on twitter. At one point, the question of “why on earth can’t we make defense as sexy as we managed to make offense?” (in the context of information security of course).

That started what we call “SexyDefence”.Bar Refaeli in soldier uniform

The parties to blame are: James Arlen, Stefan Friedly, Chris Nickerson, David Kennedy, Wim Remes, Dave Marcus, Chris John Riley, Georgia Weidman, and yours truly. We managed (in 30 the 30 minutes we had before we went back to “normal” con business and ran a panel on SexyDefence) to set up a space where this new initiative would be panned out. Here are the main points (just a beginning) of what we consider as the SexyDefence “manifesto” :-)

0. Rediscover your passion for the job you have instead of whining about the job you don’t have.
1. Wake the fuck up and learn how your company works (for realz – not just the techie stuff)
2. Use everything you have. whatever the “bad” guys use is fair game for u as well. research vulns on attack tools…
3. Intelligence. Gather it. On you, on your threat communities. Now use it. Intelligently.
4. You have more information at your disposal than you think (logs. Lots of them). Figure out a way to use it.
5. Remember that it’s the users (humans) that will screw you up. Make sure your “plans” include dealing with them (not just tech)

Feel free to take a look (and as always contribute – see PTES) here: http://wiki.doinginfosecright.com/index.php?title=Main_Page

Happy hacking!

p.s. – Yes, I figured that a picture of the local model Bar Refaeli in uniform would be better that the one used on James’ blog of RightSaidFred…

 

SecurityZone – to finish this year with a bang!

Posted on by
Reply

So, some of you have heard of SecurityZone, some are skeptical and some just jealous. Here’s the gist of it from my view:

Professional:

  • Awesome lineup. We managed (and I allow myself to say we as I might have had some help with getting some of the speakers) to get some of the coolest names in the industry with cutting edge security content. To think that this is a first time conference, I would have cut off a kidney to get a lineup like that. Yet it’s on!
  • Workshops – I’m super excited to be part of the workshops. For some reason (don’t ask me how) the notorious Chris Nickerson and yours truly will have a chance to basically go all-out on a red-team testing workshop. I cannot guarantee the sanity of participants at the end of the day, but I’ll be damned if they won’t at least enjoy it. Subtle hint – buy us drinks and more fun is guaranteed ;-) . Now take a look at the other workshops. I know… tough choice!

Venue:

  • Come on, it’s Cali, Colombia! What can go wrong in a city that calls itself the capital of Salsa. That sits in one of the more beautiful places in northern south America, and that brings the warmth and hospitality of the locals to tourism. Haven’t been there yet, and I’m already sold – just based on reading some online, working with the relentless SecurityZone organizers (huge shout-outs!), and talking to people who already visited the place.

Personal:

  • My roots actually go back to south america. My dad managed to visit Argentine just this year for the first time since he was a kid, and for me an opportunity to get a little closer to the culture was something I just couldn’t pass on…
So, bottom line – this looks like just the perfect grand finale to an awesome year of the Dirty Security World Tour 2011. Very excited to meet everyone from the crew, and especially to meet new people – locals and whoever makes the smart choice and picks this as an international security conference to attend.
Ciao!

Information Security, Homeland Security, and finding someone to pin it on

Posted on by
1

In the recent spree of cyber attacks on a plethora of US and international government and federal related establishments a lot of speculations are being thrown around as authorities are trying to find the threat community behind it.

As computer systems are reigning most of the control over our daily lives – from transportation, through financial systems, and up to government facilities that provide research, analysis and even critical infrastructure to support what we know of now as “modern life”, attackers find it easier and easier to poke at such systems as their security is left mostly as an afterthought. Most of the focus when the relevant organizations approach the forensics and remediation of such breaches is first to recover any lost data, and then to identify not the root cause of the breach, but the attacker.

As the blame game runs amok, the actual privacy and confidentiality of the core (digital) elements of our modern society are left for grabs. When groups such as LulzSec, Anonymous, and any other book-reading internet-browsing anonymous-under-several-proxies infosec-warrior find it as easy as running a few scripted tools on their target list to find easy to exploit issues, we are facing a very tough job of figuring out who to blame.

Nevertheless, blame by itself (or attribution as we like to refer to it in the more politically-correct industry circles) won’t help us in mitigating such attacks. It may be helpful for organizations to have someone to pin the “adversary” tag on – especially when dealing with defense/government/federal institutions who’s budgets can be manipulated more easily under the threat of a foreign nation. But when looking at the ability to actually come up with evidence to support such claims we often face empty hands, and a thick smokescreen of assumptions, prejudice, and incompetence.

On the other hand, when viewed from a strategic/political stance, it can be easily seen how a string of breaches in facilities that share a common ground (such as the one presented by Rafal Los of HP in his great article “DOE Network Under Siege”) can be attributed more to a nation state than to a fun-seeking internet-bored group.

This simple reality – of having intricate connections that are often only visible when looking at the bigger picture of security incidents, allows state sponsored attacks to happen without much scrutiny or the ability to thwart them on a more strategic position.

The bottom line remains the same – chasing after excuses and online enemies won’t get us to a more secure state. Investing in proper education, training, exercises, people and (lastly) technologies, will. Instead of trying to investigate breaches from an attribution standpoint, we should be investigating root causes to the deepest level (i.e. not stopping at “a 0-day vulnerability we didn’t know of”, or the bit-bucket of “It’s an APT”) that involves how we manage our electronic infrastructure and how we keep track of what’s going on in it after the initial setup is complete and the contractors/integrators pack up their people and leave.

Post Brucon thoughts – guesstimates in an engineering field

Posted on by
2

So, another epic Brucon has ended, and while everyone is getting their thoughts together again (the amount of super smart people I have had the pleasure to have conversations with is unimaginable), I wanted to post a quick recap.

First things first – numbers. I’ve been working with the FAIR methodology quite a while now, and have actually (with the kind permission of Jack Jones) integrated some of its elements into the Penetration Testing Execution Standard (PTES). Watching the discussions that started after Jack’s talk at Brucon was heartwarming. Pentesters and security practitioners finally “get it”, was divine. Working in a field of engineering that has the least engineering in the sense of how it’s applied to businesses has been frustrating to say the least. With the ability to effortlessly connect the technical elements of vulnerabilities and exploits to business-speak has been one of my personal challenges (and hopefully strengths), and being able to tilt the industry even a little towards that direction is something that we all needed for a long time.

A quick “teaser” to add on top of it (which has been previewed in my talk) is the ability to also marry in the social media risk into the risk management practice (look out for some more cool research and insights coming from that direction very soon!).

Which leads me to the last point – the ever evolving presentation I use to deliver the message about data exfiltration is provided for your viewing pleasure. Don’t fear the >100 slide count – it’s mostly the “build” effects that I left in for clarity.

Looking forward for some more discussions and developments in the way that we as an industry are justifying what we practice (if it wasn’t obvious by now – go check out what FAIR is, and then start thinking on how to integrate it into what you do…).