Research

(Update: Based on a comment, I added some caveats regarding business critical applications.) Since I’m getting my coverage of Network and Endpoint Security, as well as Security Management, off the ground, I’ll be documenting a lot of fundamentals. The research library is bare from the perspective of infrastructure content, so I need to build that up, one post at a time. As we start talking about the fundamentals of network security, we’ll first zero in on the perimeter of your network. The Internet-facing devices accessible by the bad guys, and usually one of the prevalent attack vectors. Yeah, yeah, I know most of the attacks target web applications nowadays. Blah blah blah. Most, but not all, so we have to revisit how our perimeter network is architected and what kind of traffic we allow into that web application in the first place. Defining Default Deny Which brings us to the first topic in the fundamentals series: Default Deny, which implements what is known in the trade as a positive security model. Basically it means unless you specifically allow something, you deny it. It’s the network version of whitelisting. In your perimeter device (most likely a firewall), you define the ports and protocols you allow, and turn everything else off. Why is this a good idea? Lots of attacks target unused and strange ports on your firewalls. If those ports are shut down by default, you dramatically reduce your attack surface. As mentioned in the Low Hanging Fruit: Network Security, many organizations have out-of-control firewall and router rules, so this also provides an opportunity to clean those rules up as well. As simple an idea as this sounds, it’s surprising how many organizations either don’t have default deny as a policy, or don’t enforce it tightly enough because developers and other IT folks need their special ports opened up. Getting to Default Deny One of the more contentious low hanging fruit recommendations, as evidenced by the comments, was the idea to just blow away your overgrown firewall rule set and wait for folks to complain. A number said that wouldn’t work in their environments, and I can understand that. So let’s map out a few ways to get to default deny: One Fell Swoop: In my opinion, we should all be working to get to default deny as quickly as possible. That means taking a management by compliant approach for most of your traffic, blowing away the rule set, and waiting for the help desk phone to start ringing. Prior to blowing up your rule base, make sure to define the handful of applications that will get you fired if they go down. Management by Compliant doesn’t work when the compliant is attached to a 12-gauge pointed at your head. Support for those applications needs to go into the base firewall configuration. Consensus: This method involves working with senior network and application management to define the minimal set of allowed protocols and ports. Then the impetus falls on the developers and ops folks to work within those parameters. You’ll also want a specific process for exceptions, since you know those pesky folks will absolutely positively need at least one port open for their 25-year-old application. If that won’t work, there is always the status quo approach… Case by Case: This is probably how you do things already. Basically you go through each rule in the firewall and try to remember why it’s there and if it’s still necessary. If you do remember who owns the rule, go to them and confirm it’s still relevant. If you don’t, you have a choice. Turn it off and risk breaking something (the right choice) or leave it alone and keep supporting your overgrown rule set. Regardless of how you get to Default Deny, communication is critical. Folks need to know when you plan to shut down a bunch of rules and they need to know the process to get the rules re-established. Testing Default Deny We at Securosis are big fans of testing your defenses. That means just because you think your firewall configuration enforces default deny, you need to be sure. So try to break it. Use vulnerability scanners and automated pen testing tools to find exposures that can be exploited. And make this kind of testing a standard part of your network security practice. Things change, including your firewall rule set. Mistakes are made and defects are introduced. Make sure you are finding them – not the bad guys. Default Deny Downside OK, as simple and clean as default deny is as a concept, you do have to understand this policy can break things, and broken stuff usually results in grumpy users. Sometimes they want to play that multi-player version of Doom with their college buddies and it uses a blocked port. Oh, well, it’s now broken and the user will be grumpy. You also may break some streaming video applications, which could become a productivity boost during March Madness. But a lot of the video guys are getting more savvy and use port 80, so this rule won’t impact them. As mentioned above, it’s important to ensure the handful of business critical applications still run after the firewall ruleset rationalization. So do an inventory of your key applications and what’s required to support those applications. Integrate those rules into your base set and then move on. Of course, mentioning that your trading applications probably shouldn’t need ports 38-934 open for all protocols is reasonable, but ultimately the business users have to balance the cost to re-engineer the application versus the impact to security posture of the status quo. That’s not the security team’s decision to make. Also understand default deny is not a panacea. As just mentioned, lots of application traffic uses port 80 or 443 (SSL), and will largely be invisible to your firewall. Sure, some devices claim “deep packet inspection” and others talk about application awareness, but most don’t. So more sophisticated attacks require additional layers of defense. Understand default deny for what it is: a coarse filter for your perimeter, which

I really enjoy making fun of marketing and sales pitches. It’s a hobby. At my previous employer, I kept a book of stupid and nonsense sales sayings I heard sales people make – kind of my I Ching by sociopaths. I would even parrot back nonsense slogans and jargon at opportune moments. Things like “No excuses,” “Now step up to the plate and meet your commitments,” “Hold yourself accountable,” “The customer is first, don’t forget that,” “We must find ways to support these efforts,” “The hard work is done, now you need to complete a discrete task,” “All of your answers are YES YES YES!” and “Allow us to position for success!” Usually these were thrown out in a desperate attempt to get the engineering team to spend $200k to close a $40k deal. Mainstream media marketing uses a similar ham-fisted belligerence in their messaging – trying to tie all your hopes, dreams, and desires to their product. My wife and I used to sit in front of the TV and call out all the overt and subliminal messages in commercials, like how buying a certain waffle iron would get you laid, or a vacuum cleaner that created marital bliss and made you the envy of your neighbors. Some of the pharmaceutical ads are the best, as you can turn off the sound altogether and just gaze at the the imagery and try to guess whether they are selling Viagra, allergy medicine, or eternal happiness. But playing classic music and, in a re-assuring voice, having a cute cartoon figure tell people just how smart they are, is surprisingly effective at getting them to pay an extra $.25 per gallon for gasoline. But I must admit I occasionally find myself swayed by marketing when I thought I was more or less impervious. Worse, when it happens, I can’t even figure out what triggered the reaction. This week was one of those rare occasions. Why the heck is it that I need an iPad? More to the point, what void is this device filling and why do I think it will make my life better? And that stupid little video was kind of condescending and childish … but I still watched it. And I still want one. Was it the design? The size? Maybe it’s because I know my newspaper is dead and I want some new & better way to get information electronically at the breakfast table? Maybe I want to take a browser with me when I travel, and not a phone trying to pretend to display web pages? Maybe it’s because this is a much more appropriate design for a laptop? I don’t know, and I don’t care. This think looks cool and useful in a way that the Kindle just cannot compare to. I want to rip Apple for calling this thing ‘magical’ and ‘revolutionary’, but dammit, I want one. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich, Martin, and Zach on this week’s Network Security Podcast. Favorite Securosis Posts Rich: Adrian’s start to the database security fundamentals series. Mike: Rich’s FireStarter on APT. I’m so over APT at this point, but Rich provides some needed rationality in midst of all the media frenzy. Adrian: Rich’s series on Pragmatic Data Security is getting interesting with the Define Phase. Mort: Low Hanging Fruit: Security Management takes Adam’s posts on the topic and fleshes them out. Meier: Security Strategies for Long-Term, Targeted Threats. “Advanced Persistent Threat” just does not cut it. Other Securosis Posts Pragmatic Data Security: Define Phase Incite 1/27/2010: Depending on the Kids Network Security Fundamentals: Default Deny The Certification Myth Pragmatic Data Security: Groundwork FireStarter: Security Endangered Species List Favorite Outside Posts Rich: Who doesn’t love a good cheat sheet? How about a couple dozen all compiled together into a nicely organized list? Mike: Daniel Miessler throws a little thought experiment bomb on pushing everyone through a web proxy farm for safer browsing. An interesting concept, and I need to analyze this in more depth next week. Adrian: Stupid: A Metalanguage For Cryptography Very cool idea. Very KISS! Mort: Managing to the biggest risk. More awesomeness from shrdlu. I particularly love the closer: “So I believe politics can affect both how you assess and prioritize your security risks, and how you go about mitigating them. If you had some kind of magic Silly String that you could spray into your organization to highlight the invisible political tripwires, you’d have a much broader picture of your security risk landscape.” Meier: I luvs secwerity. I also like Tenable’s post on Understanding the New Masschusetts Data Protection Law. Project Quant Posts Project Quant: Database Security – Encryption Project Quant: Project Comments Project Quant: Database Security – Protect through Monitoring Project Quant: Database Security – Audit Top News and Posts Krebs’ article on the Texas bank preemptively suing a customer. Feds boost breach fines. Politics and Security. Groundspeed: a Firefox add-on for web application pen testers. PCI QSAs, certifications to get new scrutiny. It’s The Adversaries Who Are Advanced And Persistent. The EFF releases a tool to see how private/unique your browser is. Intego releases their 2009 Mac security report. It’s pretty balanced. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. Yeah, I am awarding myself a consolation prize for my comment in response to Mike’s post on Security Management, but I have to award this week’s best comment to Andre Gironda, in response to Matt Mike’s post on The Certification Myth. I usually throw up some strange straw-man and other kinds of confusing arguments like in my first post. But for this one, I’ll get right to the point: Does anyone know if China{|UK|AU|NZ|Russia|Taiwan|France} has a military directive similar to Department of Defense Directive 8570, thus requiring CISSP and/or GIAC certifications in various information assurance roles? Does anyone disagree that China has information superiority compared to the US, and potentially due in part to the existence of DoDD 8570? If China only hires the best (and not just the brown-nosers), then this would stand to achieve them a significant advantage, right? Could it be that instead

I have been part of 5 different startups, not including my own, over the last 15 years. Every one of them has sold, or attempted to sell, enterprise software. So it is not surprising that when I provide security advice, by default it is geared toward an enterprise audience. And oddly, when it comes to security, large enterprises are a little further ahead of the curve. They have more resources and people dedicated to the subject than small and medium sized businesses, and their coverage is much more diverse. But security advice does not always transfer well from one audience to the other. The typical SMB IT security team is one person. Or in the case or database security, the DBA and the security practitioner are one and the same. The time they have to spend on learning and performing security tasks are significantly less, and the money they have to spend for security tools and automation is typically minimal. To remedy that issue I am creating a couple posts for some pragmatic, hands-on tasks for database security. I’ll provide clear and actionable steps to protect your database and the data it stores. This series is geared to small IT shops who just need a straightforward checklist for database security. We’re not covering advanced security here, and we’re not talking about huge database installations with thousands of users, but rather the everyday security stuff you can do in an afternoon. And to keep costs low, I will focus on the built-in database security functions built into the database. Access: User and administrative security, and security on the avenues into and out of the database. Configuration: Database settings and setup that affect security and protect database functions from subversion or unauthorized alteration. I’ll go into the issue of reliance on the operating system as well. Audit: An examination of activity, transactions, and anomalous events. Data Protection: In cases where the database cannot protect access to information, we will cover techniques to prevent information from being lost of stolen. The goal here is to protect the data stored within the database. We often lose sight of this goal as we spend so much time focusing on the container (i.e., the database) and less on the data and how it is used. Of course I will cover database security – much of which will be discussed as part of access control and configuration sections – but I will include security around the data and database functions as well. Share:

Now that we’ve described the Pragmatic Data Security Cycle, it’s time to dig into the phases. As we roll through each of these I’m going to break it into three parts: the process, the technologies, and a case study. For the case study we’re going to follow a fictional organization through the entire process. Instead of showing you every single data protection option at each phase, we’ll focus on a narrow project that better represents what you will likely experience. Define: The Process From a process standpoint, this is both the easiest and hardest of the phases. Easy, since there’s only one thing you need to do and it isn’t very technical or complex, hard since it may involve coordination across multiple business units and the quest for executive sponsorship. Identify an executive sponsor to support your efforts. Without management support, the rest of the process will be extremely difficult. Identify the one piece of information/content/data you want to protect. The definition shouldn’t be too broad. For example, “engineering plans” is too broad, but “engineering plans for project X” is acceptable. Using “PCI/NPI/HIPAA” is acceptable, assuming you narrow it down in the next step. Define and model the information you defined in the step above. For totally unstructured content like engineering plans, identify a repository to use for your definition, or any watermarking/labels you are certain will be available to identify and protect the information. For PCI/NPI/HIPAA determine the exact fields/pieces of data to protect. For PCI it might be only the credit card number, for NPI it might be names and addresses, and for HIPAA it might be ICD9 billing codes. If you are protecting data from a database, also identify the source repository. Identify key business units with a stake in the information, and contact them to verify the priority, structure, and repositories for this information. It’s no fun if you think you’re going to protect a database of customer data, only to find out halfway through that it’s not really the important one from a business perspective. That’s it: find a sponsor, identify the category, identify the data/repository, and confirm with the business folks. Define: Technologies None. This is a manual business process and the only technology you need is something to take notes with… or maybe email to communicate. Define: Case Study Billy Bob’s Bait Shop and Sushi Outlet is a mid-sized, multi-site retail organization that specializes in “The freshest seafood, for your family or aquatic friends”. Billy Bob’s consists of a corporate headquarters and a few dozen retail outlets in three states. There are about 1,000 employees, and a growing web business due to their capability to ship fresh bait or sushi to any location in the US overnight. Billy Bob’s is struggling with PCI compliance and wants to avoid a major security breach after seeing the damage caused to their major competitor during a breach (John Boy’s Worms and Grub). They do not have a dedicated security team, but their CIO designated one of their top network administrators (the former firewall manager) to head up security operations. Frank has a solid history as a network administrator and is familiar with security (including some SANS training and a CISSP class). Due to problems with their first PCI assessment, Frank has the backing of the CIO. The category of data is PCI. After some research, Frank decides to go with a multilevel definition – at the top is credit card numbers. Since they are (supposedly) not storing them in a database they could feed to any data protection tools, Frank is starting with a regular expression to identify credit card numbers, and then plans on refining it using customer names (which are stored in the database). He is hoping that whatever tools he picks can use a generic credit card number definition for low-priority alerts, and a credit card (generic) tied with a customer name to trigger higher priority alerts. Frank also plans on using violation counts to help find real problems areas. Frank now has a generic category (PCI), a specific definition (generic regex and customer name from a database) and the repository location (the customer database itself). From the heads of the customer relations and billing, he learned that there are really two databases he needs to worry about: the main transaction processing/records system for the web outlet, and the point of sale transaction processing system for the retail outlets. The web outlet does not store unencrypted credit card numbers, but the retail outlets currently do, and they are working with the transaction processor to fix that. Thus he is adding credit card numbers from the retail database to his list of data sources. Fortunately, they are only stored in the central processing database, and not at the individual retail outlets. That’s the setup – in our next post we will cover the Discovery process to figure out where the heck all that data is. Share:

Good Morning: Maybe it’s the hard-wired pessimist in me, but I never thought I’d live a long life. I know that’s kind of weird to think about, but with my family history of health badness (lots of the Big C), I didn’t give myself much of a chance. At the time, I must have forgotten that 3 out of my 4 grandparents lived past 85, and my paternal grandma is over 100 now (yes, still alive). But when considering your own mortality, logic doesn’t come into play. I also think my lifestyle made me think about my life expectancy. 3 years ago I decided I needed an attitude adjustment. I was fat and stressed out. Yes, I was running my own business and happy doing that, but it was pretty stressful (because I made it that way) and it definitely took a toll. Then I decided I was tired of being a fat guy. Literally in a second the decision was made. So I joined a gym and actually went. I started eating better and it kind of worked. I’m not where I want to be yet, but I’m getting there. I’m the kind of guy that needs a goal, so I decided I want to live to 90. I guess 88 would be OK. Or maybe even 92. Much beyond that I think I’ll be intolerably grumpy. I want to be old enough that my kids need to change my adult diapers. Yes, I’m plotting my revenge. Even if it takes 50 years, the tables will be turned. So how am I going to get there? I stopped eating red meat and chicken. I’m eating mostly plants and I’m exercising consistently and intensely. That’s my plan for now, but I’m also monitoring information sources to figure out what else I can be doing. That’s when I stumbled upon an interesting video from a TED conference featuring Dan Buettner (the guy from National Geographic) who talked about 9 ways to live to 100, based upon his study of a number of “Blue Zones” around the world where folks have great longevity. It’s interesting stuff and Dan is an engaging speaker. Check it out. Wish me luck on my journey. It’s a day by day thing, but the idea of depending on my kids to change my diaper in 50 years pretty motivating. And yes, I probably need to talk to my therapist about that. – Mike Photo credit: “and adult diapers” originally uploaded by &y Incite 4 U It seems everyone still has APT on the brain. The big debate seems to be whether it’s an apt description of the attack vector. Personally, I think it’s just ridiculous vibrations from folks trying to fathom what the adversary is capable of. Rich did a great FireStarter on Monday that goes into how we are categorizing APT and deflating this ridiculous “cyber-war” mumbo jumbo. Looking at everything through politically colored glasses – We have a Shrdlu admiration society here at Securosis. If you don’t read her stuff whenever she finds the time to write, you are really missing out. Like this post, which delves into how politics impacts the way we do security. As Rich says, security is about psychology and economics, which means we have to figure out what scares our customers the most. In a lot of cases, it’s auditors and lawyers – not hackers. So we have to act accordingly and “play the game.” I know, you didn’t get into technology to play the game, but too bad. If you want to prosper in any role, you need to understand how to read between the lines, how to build a power base, and how to get things done in your organization. And no, they don’t teach that in CISSP class. – MR I can haz your cloud in compliance – Even the power of cloud computing can’t evade its cousin, the dark cloud of compliance that ever looms over the security industry. As Chris Hoff notes in Cloud: Security Doesn’t Matter, organizations are far more concerned with compliance than security, and it’s even forcing structural changes in the offerings from cloud providers. Cloud providers are being forced to reduce multi-tenancy to create islands of compliance within their clouds. I spent an hour today talking with a (very very big) company about exactly this problem – how can they adopt public cloud technologies while meeting their compliance needs? Oh sure, security was also on the list – but as on many of these calls, compliance is the opener. The reality is you not only need to either select a cloud solution that meets your compliance needs (good luck), or implement compensating controls on your end, like virtual private storage, and you also need to get your regulator/auditor to sign off on it. – RM It’s just a wafer thin cookie, Mr. Creosote – Nice job by Michael Coates both on discovering and illustrating a Cookie Forcing attack. In a nutshell, an attacker can alter cookies already set regardless of whether it’s an encrypted cookie or not. By imitating the user in a man-in-the-middle attack, the attacker finds an unsecured HTML conversation, requests an unencrypted meta refresh, and then sends “set cookie” to the browser, which accepts the evil cookie. To be clear, this attack can’t view existing cookies, but can replace them. I was a little shocked by this as I was of the opinion meta refresh had not been considered safe for some time, and because the browser happily conflated encrypted and unencrypted session information. One of the better posts of the last week and worth a read! – AL IT not as a business, huh? – I read this column on not running IT as a business on infoworld.com and I was astounded. In the mid-90’s running IT as a business was all the rage. And it hasn’t subsided since then. It’s about knowing your customer and treating them like they have a choice in service providers (which they do). In fact, a big part of the Pragmatic CSO is to think about security like a business, with a business plan and everything.

After writing up the Advanced Persistent Threat in this week’s FireStarter, a few people started asking for suggestions on managing the problem. Before I lay out some suggestions, it’s important to understand what we are dealing with here. APT isn’t some sort of technical term – in this case the threat isn’t a type of attack, but a type of attacker. They are advanced – possessing strong skills and capabilities – and persistent, in that if you are a target they will continue to attempt attacks until they succeed or the costs are greater than the potential rewards. You don’t just have to block them once so they move on – they will continue to probe and strike until they achieve their goal. Thus my recommendations will by no means “eliminate” APT. I can make a jazillion recommendations on different technology solutions to block this or that attack technique, but in the end a persistent threat actor will just shift tactics in response. Rather, these suggestions will help detect, contain, and mitigate successful attacks. I also highly suggest you read Andrew Jaquith’s post, with this quote: If you fall into the category of companies that might be targeted by a determined adversary, you probably need a counter-espionage strategy – assuming you didn’t have one already. By contrast, thinking just about “APT” in the abstract medicalizes the condition and makes it treatable by charlatans hawking miracle tonics. Customers don’t need that, because it cheapens the threat. If you believe you are a target, I recommend the following: Segregate your networks and information. The more internal barriers an attacker needs to traverse, the greater your chance to detect. Network segregation also improves your ability to tailor security controls (especially monitoring) to the needs of each segment. It may also assist with compartmentalization, but if you allow VPN access across these barriers, segregation won’t help nearly as much. The root cause of many breaches has been a weak endpoint connecting over VPN to a secured network. Invest heavily in advanced monitoring. I don’t mean only simple signature-based solutions, although those are part of your arsenal. Emphasize two categories of tools: those that detect unusual behavior/anomalies, and those with extensive collection capabilities to help in investigations once you detect something. Advanced monitoring changes the playing field! We always say the reason you will eventually be hacked is that when you are on defense only, the attacker only needs a single mistake to succeed. Advanced monitoring gives you the same capability – now the attacker needs to execute with greater perfection, over a sustained period of time, or you have a greater chance of detection. Upgrade your damn systems. Internet Explorer 6 and Windows XP were released in 2001; these technologies were not designed for today’s operating environment, and are nearly impossible to defend. The anti-exploitation technologies in current operating systems aren’t a panacea, but do raise the barrier to entry significantly. This is costly, and I’ll leave it to you to decide if the price is worth the risk reduction. When possible, select 64 bit options as they include even stronger security capabilities. No, new operating systems won’t solve the problem, but we might as well stop making it so damn easy for the attackers. Longer term, we also need to pressure our application vendors to update their products to utilize the enhanced security capabilities of modern operating systems. For example, those of you in Windows environments could require all applications you purchase to enable ASLR and DEP (sorry Adobe). By definition, advanced persistent threats are as advanced as they need to be, and won’t be going away. Compartmentalization and monitoring will help you better detect and contain attacks, and are fairly useful no matter what tactics your opponent deploys. They are also pretty darn hard to implement comprehensively in current operating environments. But again, nothing can “solve” APT, since we’re talking about determined humans with time and resources, who are out to achieve the specific goal of breaking into your organization. Share:

There’s been a lot of talk on the Interwebs recently about the whole Google/China thing. While there are a few bright spots (like anything from the keyboard of Richard Bejtlich), most of it’s pretty bad. Rather than rehashing the potential attack details, I want to step back and start talking about the bigger picture and its potential implications. The Google hack – Aurora or whatever you want to call it – isn’t the end (or the beginning) of the Advanced Persistent Threat, and it’s important for us to evaluate these incidents in context and use them to prepare for the future. As usual, instead of banding together, parts of the industry turned on each other to fight over the bones. On one side are pundits claiming how incredibly new and sophisticated the attack was. The other side insisted it was a stupid basic attack of no technical complexity, and that they had way better zero days which wouldn’t have ever been caught. Few realize that those two statements are not mutually exclusive – some organizations experience these kinds of attacks on a continuing basis (that’s why they’re called “persistent”). For other organizations (most of them) the combination of a zero-day with encrypted channels is way more advanced than what they’re used to or prepared for. It’s all a matter of perspective, and your ability to detect this stuff in the first place. The research community pounced on this, with many expressing disdain at the lack of sophistication of the attack. Guess what, folks, the attack was only as sophisticated as it needed to be. Why burn your IE8/Win7 zero day if you don’t have to? I don’t care if an attack isn’t elegant – if it works, it’s something to worry about. Do not think, for one instant, that the latest wave of attacks represents the total offensive capacity of our opponents. This is espionage, not ‘warfare’ and it is the logical extension of how countries have been spying on each other since the dawn of human history. You do not get to use the word ‘war’ if there aren’t bodies, bombs, and blood involved. You don’t get to tack ‘cyber’ onto something just because someone used a computer. There are few to no consequences if you’re caught. When you need a passport to spy you can be sent home or killed. When all you need is an IP address, the worst that can happen is your wife gets pissed because she thinks you’re browsing porn all night. There is no motivation for China to stop. They own major portions of our national debt and most of our manufacturing capacity, and are perceived as an essential market for US economic growth. We (the US and much of Europe) are in no position to apply any serious economic sanctions. China knows this, and it allows them great latitude to operate. Ever vendor who tells me they can ‘solve’ APT instantly ends up on my snake oil list. There isn’t a tool on the market, or even a collection of tools, that can eliminate these attacks. It’s like the TSA – trying to apply new technologies to stop yesterday’s threats. We can make it a lot harder for the attacker, but when they have all the time in the world and the resources of a country behind them, it’s impossible to build insurmountable walls. As I said in Yes Virginia, China Is Spying and Stealing Our Stuff, advanced attacks from a patient, persistent, dangerous actor have been going on for a few years, and will only increase over time. As Richard noted, we’ve seen these attacks move from targeting only military systems, to general government, to defense contractors and infrastructure, and now to general enterprise. Essentially, any organization that produces intellectual property (including trade secrets and processes) is a potential target. Any widely adopted technology services with private information (hello, ISPs, email services, and social networks), any manufacturing (especially chemical/pharma), any infrastructure provider, and any provider of goods to infrastructure providers are on the list. The vast majority of our security tools and defenses are designed to prevent crimes of opportunity. We’ve been saying for years that you don’t have to outrun the bear, just a fellow hiker. This round of attacks, and the dramatic rise of financial breaches over the past few years, tells us those days are over. More organizations are being deliberately targeted and need to adjust their thinking. On the upside, even our well-resourced opponents are still far from having infinite resources. Since this is the FireStarter I’ll put my recommendations into a separate post. But to spur discussion, I’ll ask what you would do to defend against a motivated, funded, and trained opponent? Share:

Now, all of that said, the world isn’t coming to an end. Just because we can’t eliminate a threat doesn’t mean we can’t contain it. The following strategies aren’t specific to any point technology, but can help reduce the impact when your organization is targeted: Segregate your networks and information. The more internal barriers an attacker needs to traverse, the greater your likelihood of detection. Network segregation also improves your ability to tailor security controls, especially monitoring, to the needs of each segment. Invest heavily in advanced monitoring. I don’t mean only simple signature-based solutions, although those are part of your arsenal. Emphasize two categories of tools- those that detect unusual behavior/anomalies, and those will extensive collection capabilities to help in investigations once you detect something. Advanced monitoring changes the playing field! We always say the reason you will eventually be hacked is that when you are on defense only, the attacker only needs you to make a single mistake to succeed. Advanced monitoring gives you the same capability- now the attacker needs to execute with near-perfection, over a sustained period of time, or you have a greater chance of detection. Upgrade your damn systems. Internet Explorer 6 and Windows XP were released in 2001; these technologies were not designed for today’s operating environment, and are nearly impossible to defend. The anti-exploitation technologies in current operating systems aren’t a panacea, but do raise the barrier to entry significantly. This is costly, and I’ll leave it to you to decide if the price is worth the risk reduction. When possible, select 64 bit options since they include even stronger security capabilities. Longer term, we also need to pressure our application vendors to update their products to utilize the enhanced security capabilities of modern operating systems. For example, those of you in Windows environments could require all applications you purchase to enable ASLR and DEP (sorry Adobe). By definition, advanced persistent threats are as advanced as they need to be, and won’t be going away. APT the logical extension of all of human history, let’s not pretend it is anything more or less. Share:

To wrap up my low hanging fruit series (I believe Rich and Adrian will be doing their own takes), let’s talk about security management. Yes, there were lots of components of each in the previous LHF posts (network security & endpoint security) that had “management” components, but now let’s talk about the discipline of management, not necessarily the tools. Think and Be Program Some folks would rather think and be rich, but if you do security for a living, you need to be thinking about a security program. To be clear, establishing a security program is the single hardest thing any security professional has to do. Period. Nothing else comes close in heartburn, futility, angst, or importance. The folks residing in a hamster wheel of pain (a great term coined by Andy Jaquith, I think) tend to spend most of their time in fire-fighting mode. OK, being honest, they spend all their time fire-fighting. That also means a program is not really low hanging fruit (it’s more like skyscraper hanging fruit), but I don’t think you’ll make much headway with any kind of security management without having the structure of a program in place. Thus, this is really about context and the importance of that context as you look to other security management techniques. So why is it so hard to get a program off the ground? Per usual, it gets back to shiny objects and your to-do list. It’s just easier to do something else. Senior management doesn’t have to agree to fixing a firewall rule, re-imaging a machine, or patching a bunch of devices. But they do have to buy into a program. Your peers have to agree to think about security before they do things. Since they don’t like to do that, getting consensus is hard. So most folks just don’t do it – and that’s a big mistake. Without the program in place, your likelihood of success is small. Best of all, you don’t have to implement a full program to greatly increase your chance of success. Yet, all is not lost. You can start slowly with the program and do a few things (kind of low hanging) to get you going: Define success: Without a clear and agreed-upon definition of security success, you may as well give up now. So this really has to be the first step in the process. Communication: How often do you get face time with senior management? It’s probably not enough. Make sure you get an audience as often as you need. In the initial stages probably once a month (if not more often), later on maybe not as much. But if you don’t have something set in stone, scheduled on the calendar, it won’t happen. Accountability: In most organizations, the security team is not well liked. In order to have any chance to implement a security program, you need to change that perception. That’s done one step at a time. Tell them what you are going to do and then do it. Yes, it seems pretty easy. But if it was really easy, everyone would be doing it, right? Just to throw in a shameless plug, I discussed how to implement a security program in The Pragmatic CSO. It goes into a lot of detail on how to structure the program and get acceptance with your business leaders. Incident Response No matter what time it is, it’s time to revisit your incident response plan. Hopefully you haven’t had to use it lately, but don’t get lulled into a false sense of security. Before long you’ll be compromised, and whether you live to fight another day has everything to do with how you respond to the incident. The worst time to learn your IR plan sucks is when you are in the middle of an attack. First make sure senior management understands roles and responsibilities. Who runs point for what? When do the CEO and board need to be notified? When does law enforcement get involved? All of this needs to be documented and agreed upon. Next run simulations and practice. Lots of my practitioner friends practice using live ammo, but if you aren’t under constant attack, then you’ll need to schedule time to practice. Yes, shiny objects and fires to fight make it hard to carve out the time to practice the IR process, but don’t neglect your preparation. Monitor Everything If there is anything the recent APT (advanced persistent threat) hysteria has shown, it’s that we have little chance against a well-funded and patient attacker. The only chance we have is to figure out they are in the house as soon as possible. I call this Reacting Faster, which of course Rich has to improve by reminding us all to React Faster, and Better. The point remains that we don’t know where the attacks are coming from (0-day, by definition, means you don’t know about it, so it’s pretty laughable when an IPS vendor says they can protect against a 0-day attack), so we’d better get better at detecting funky behavior. Anomaly detection is your friend. You need to monitor everything you can, baseline the “normal” course of events, and look for something that is not normal. That gives you something to investigate, as opposed to the literally infinite places where you could be looking for an attack. Logging: Your regulations say you need to log stuff, so you probably have some rudimentary logging capability in place. Or you are looking at one. That’s a good idea because all security management starts with data, and a good portion of your data is in log files. So having an automated mechanism to gather and parse logs is a critical first step. Change detection: Malware tends to leave a trail. Well, most malware anyway. To change behavior usually requires some kind of operating system file change. So seeing those changes will usually give you an indication that something is wrong. Look at key network devices and servers, since those are the interesting targets. Network behavioral analysis: Network flow analysis yields some very interesting perspective on what folks are doing with

Back when I was the resident security management expert over at TechTarget (a position since occupied by Mort), it was amazing how many questions I got about the value of certifications. Mort confirms nothing has changed. Alex Hutton’s great posts on the new ISACA CRISC certification (Part 1 & Part 2) got me thinking that it’s probably time to revisit the topic, especially given how the difficult economy has impacted job search techniques. So the question remains for practitioners: are these certifications worth your time and money? Let’s back up a bit and talk about the fundamental motivators for having any number of certifications. Skills: A belief exists that security certifications reflect the competence of the professional. The sponsoring organizations continue to do their job of convincing folks that someone with a CISSP (or any other cert) is better than someone who doesn’t have one. Jobs: Lots of folks believe that being certified in certain technologies makes them more appealing to potential employers. Money: Certifications also result in higher average salaries and more attractive career paths. According to the folks who sell the certifications, anyway. Ego: Let’s be honest here. We all know a professional student or three. These folks give you their business cards and it’s a surprise they have space for their address, with all the acronyms after their name. Certifications make these folks feel important. So let’s pick apart each of these myths one by one and discuss. Skills Sorry, but this one is a resounding NFW. Most of the best security professionals I know don’t have a certification. Or they’ve let it lapse. They are simply too busy to stop what they are doing to take the test. That’s not to say that anyone with the cert isn’t good, but I don’t see a strong relationship between skills and certs. Another issue is that many of the certification curricula get long in the tooth after a few years. Today’s required skills are quite different than a few years ago because the attack vectors have changed. Unfortunately most of the certifications have not. Finally, to Alex’s point in the links above, lots of new certifications are appearing, especially given the myths described below. Do your homework and make sure the curriculum makes sense based on your skills, interest, and success criteria. Jobs The first justification for going to class and taking the test usually comes down to employment. Folks think that a CISSP, GIAC, or CISM will land them the perfect job. Especially now that there are 100 resumes for every open position, a lot of folks believe the paper will differentiate them. The sad fact is that far too many organizations do set minimum qualifications for an open position, which then get enforced by the HR automatons. But I’d wonder if that kind of company is somewhere you’d like to work. Can it be a perfect job environment if they won’t talk to you if you don’t have a CISSP? So getting the paper will not get you the job, but it may disqualify you from interviewing. Money The certification bodies go way out of their way to do salary surveys to prove their paper is worth 10-15% over not having it. I’m skeptical of surveys on a good day. If you’re in an existing job, in this kind of economy, your organization has no real need or incentive to give you more money for the certification. There has also clearly been wage deflation in the security space. Companies believe they can get similar (if not better) talent for less money, so it’s hard for me to see how a certification is going to drive your value up. Ego There is something to be said for ego. The importance of confidence in a job search cannot be minimized. It’s one of those intangibles that usually swings decisions in your direction. If the paper makes you feel like Superman, go get the paper. Just don’t get into a scrap with an armed dude. You are not bulletproof, I assure you. The Right Answer: Stop Looking for Jobs Most of the great performers don’t look for jobs. They know all the headhunters, they network, they are visible in their communities, and they know about all the jobs coming available – usually before they are available. Jobs come and find them. So how do you do that? Well, show your kung fu on an ongoing basis. Participate in the security community. Go to conferences. Join Twitter and follow the various loudmouths to get involved in the conversation. Start a blog and say something interesting. That’s right, there is something to this social networking thing. A recommendation from one of the well-known security folks will say a lot more about you than a piece of paper you got from spending a week in a fancy hotel. The senior security folks you want to work for don’t care about paper. They care about skills. That’s the kind of place I want to work. But hey, that’s just me. Share: