Research

I was debating about writing anything personal about 2008, but after reading Mike’s Security Incite today I figure a little personalization on the site won’t hurt. If you’re not interested in what I’m up to professionally and personally, this is a good post to skip. 2007 was a very intense year. I built a new house, moved, quit my job, traveled all over the freaking place, and tried my best to cling to a personal life. At times I was elated, completely burned out, inspired, bored, physically fit, and old fat and lazy. It was a heck of a year, and all in all I enjoyed it thoroughly. I’m not one for resolutions, but I’m really looking forward to 2008 and have some specific goals. Business-wise, Securosis is going better than I ever expected. I wasn’t one of those analysts that believed my own hype and assumed the world was just begging for my attention. Leaving a good job with a steady paycheck for nebulous reasons is always a little daunting, but after 4 full months on my own things are cruising along and at times I can barely keep up. I need to thank all of you for the support- from readers and commenters to paying customers. I’m well diversified in my client base (vendors, end users, and investment types), and the kinds of projects I’m engaged in. And I’m having a blast. There’s a lot on tap for 2008. I’ll be pumping out more free whitepapers through SANS- mostly focused on data and application security, with a few I hope to co-author on other topics. I have a bunch of speaking engagements lined up, and will promote those more heavily as they get closer (including RSA). If all goes well, I might even be able to self publish a book on data security before the end of the year. I’ll also continue to write over at Dark Reading, TidBITS, and other publications as opportunities come up. I’m already ecstatic about the consulting projects that are coming up- it’s been a long time since I did project-based work and I really enjoy digging in deeper on things (everything from product assessments to data security strategies). My main goal is to accomplish all of this while maintaining a good work/life balance. I’ve let that slip in the past, especially when I was an analyst. As far as I know we only have one shot on this planet and I don’t intend to spend it stressed out and working all the time. And, to be honest, the quality of work suffers if you aren’t happy. Personally the year is going to start a little rough- I have to get shoulder surgery to repair a SLAP tear. I’m a very physically active guy and it’s been torture to restrict my activities since I hurt it at the end out August. I even quit my martial arts training- can’t throw a punch. I’ll be on restricted duty for 3-6 months, and probably won’t be 100% for a year. On the upside, it gives me an excuse to return to base training, rebuild from the past years of abuse on airplanes, and enjoy some of my other hobbies. I have some woodworking projects in mind, want to finish wiring the house, and finally finish unpacking from the move. Maybe it’s selfish, but in 2008 I plan on having fun, helping others, making a living, and enjoying life. When you get down to it, what else is there? Share:

If you read this blog, odds are today and tomorrow you’ll be responsible for “fixing” the computers of your extended family. It’s also a great excuse to get you some much-needed web browsing time if the family conversations get boring. Here’s my (very short) checklist: Make sure they’re behind some sort of NAT firewall/home router. Anything that keeps them from being directly connected to the Internet. Do a quick check to make sure it isn’t forwarding any ports to internal addresses. A cheap $50 router/wireless access point alone will stop most worm/network attacks. If they don’t have one, you now have a convenient excuse to visit Fry’s Electronics or your local Circuit Buy. Back up their photos onto an external hard drive or CD/DVD. For many people, nothing else really matters. This should get you out of any idle chit-chat, and no one needs to know you’re reading Slashdot and drinking a beer in the back room. You can milk this one for as long as needed, and it comes across as being more helpful than just watching sports. Check to see if Windows is updated. If it isn’t, assume they are infected. If they don’t have SP2, buy them a new computer. Run a quick scan for any obvious spyware/malware. I ask if the computer’s been running slow lately; that’s a good indicator. Otherwise just download one of the free tools and give it a run. If their AV suite is out of date, and they use the computer for more than the most simple of tasks, assume it’s infected. At this point I will usually load up a free suite of tools (AVG Free, whatever anti-spyware is handy, and activate the Windows firewall). This is your time to work on blog entries and maybe Twitter a bit, although if the computer is infected you won’t want to log into any of your accounts. If you need more alone time, stare at the screen and curse occasionally as people walk past. They’ll leave you alone. If you’re pretty sure it’s infected you have a choice. If the computer is old, tell them to buy a new one (preferably a Mac). If it’s current but blasted, tell them to back up important files and nuke it from orbit. If it’s your parents, back up and nuke it yourself. Send someone to buy you better beer (Stone Arrogant Bastard should do) so you can “concentrate” better. Tell your father/uncle/father-in-law/whoever to stop going to “those” sites. When they deny it, show them their cookie files. When they still deny it, close the door to the room and open up the web cache. If they still deny it, blame your 4 year-old nephew and suggest a good child psychologist. If they don’t cave at this point, tell them Crazy Uncle Bobby touched you as a kid; maybe it’s his fault. Turn on their antispam, preferably at the ISP level. This will stop a lot of email viruses. No matter what, tell them you found terrorist child pornography from gambling sites on their system, and inform them to never click on anything in email. This should keep them out of trouble. If you just backup the files, do a quick check, and figure out if you need to nuke it or keep it, that’s enough and only takes a few minutes. Feel free to extend as long as needed based on your particular family dynamics. If your family has Macs, you might need to fake it. They’ll probably catch you. Me? My immediate family has Macs and my wife’s side is local and I fix things as they happen. The good beer is in the fridge and I intend to fully enjoy a couple days of watching sports and making Lego robots with my nieces and nephew. Happy Holidays- see ya in a few days. Share:

When it comes to logging, I won’t even step on the same court as Anton. But a couple weeks ago (while I was on the road, thus the late response) he posted on the options for database logging. It’s a good overview of using native logs and log management vs. network appliances, but he totally misses a third option. Most of the Database Activity Monitoring vendors use additional techniques, including agents, to gain a granularity that’s not supported by most native database logs (or better performance when that granularity exists). This is absolutely critical if you want to monitor SQL-statement activity; a growing security requirement. Log management won’t help you if you want to know which administrator is changing your corporate financials, detect SQL injection attacks, or alert when that call center employee drops a “SELECT CC# FROM Customers” using that ad-hoc query tool your forgot to block. There are MANY cases where log management is enough today, but I think over time we’ll all migrate to needing to know the SQL (and then correlate that with application activity). Share:

Live in Phoenix? Interested in Security? Like beer? On January 10th we’re going to revive SunSec. Keep an eye out here and I’ll post more details when we get them. Tentatively plan for 6pm somewhere in the Old Town Scottsdale-Tempe area. Share:

I have to admit, although Apple’s handling of security issues is often a train wreck, I’m still a big fan of Macs and other Apple products. I covered a lot of the firewall issues on this blog and over at TidBITS, but I was still excited when MacWorld asked me to write an article on using the Leopard Firewall. I really try to walk the middle ground when discussing Mac issues, which can tend to get a little emotional for some people. Some of my security friends accuse me of selling out when I write an article like this, while Mac zealots cry havoc at any criticism of their favorite platform. As with everything, the truth is somewhere in the middle. Apple has a long way to go with security, but we do see them taking some baby steps in the right direction. Trying to beat Apple over the head clearly doesn’t work, so I try and take a reasoned approach to criticism; giving them credit for the work they’ve done while offering specific suggestions for improvements where they fail. The truth is, even with all their faults and the critical vulnerabilities (including 0days) we’ve seen, the average Mac user is safer than the average Windows XP user as they go through their computing days. But we also need to recognize that this won’t hold true as the popularity of the platform continues to grow. We’re seeing the early signs that the bad guys are gaining interest in Macs, and there are flaws in the platform they can eventually use to cause some damage. I suspect that once this starts occurring on a large enough scale, Apple will have to respond and start adopting some of the development processes and security features we see at Microsoft. If only Microsoft would learn a little about usability from Apple… then we’d have a serious fight. Anyway, you can check it out here. Share:

Chris Hoff returned to the podcast this week to discuss the little awareness campaign we cooked up (no, he didn’t really hack me) and talk about the future of security over the next few years. I think this is one of our best episodes ever. If you’re interested in learning how us pundits look at the industry and recognize trends, you’ll want to listen to this one. Chris, Martin, and I really dig in deep on where security is headed and why. As always, you can find it at netsecpodcast.com… Share:

More on this later, but I’m starting to see the data security market splitting along two lines. One focused on protecting content in user workspaces and productivity applications. It’s starting with DLP but moving towards what I call Content Monitoring and Protection. On the other side of data security is protecting content in business applications- from your web application stack to internal applications and databases. I’m starting to call this Application and Database Monitoring and Protection, and Database Activity Monitoring is where it’s starting. Since we need definitions, here’s my first stab for ADMP: Products that monitor all activity in a business application and database, identify and audit users and content, and, based on central policies, protect data based on content, context, and/or activity. For CMP, I’m sticking with my DLP definition (DLP is a terrible term, but I’m not going to fight the market): Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis. Share:

Chris Hoff and I decided to have a little fun and fake some back and forth exploits to highlight some security risks. It’s nearing the end of the year; either crunch time for some of you, or boring time for the rest. We figured a little humor couldn’t hurt in either case. We decided to blow this open early so it doesn’t get away from us. The attack Chris described could clearly work, but I’m surprised more people didn’t pick up the holes. While I do have a home automation system (but no cameras) I don’t know of any that use SCADA-based technologies. Then again, SCADA is going all IP so it might not be a stretch to define my system that way. For the record, I use an Insteon system but haven’t finished implementation yet. Bonus points to the commenters that noticed there’s no way I’d have a yard with that much green in Phoenix. The idea of the Quicktime rtsp attack was completely real. Until Apple released the patch a day or so ago, the only defense was avoiding clicking on potentially hostile links. I trust Chris, and would click on most things he sends me. Outbound filtering (which I do one one of my machines) could block the request unless it directed me to an unusual port; something Chris is capable of. The idea of pwning my workstation is dead on- and one reason I often recommend SCADA workstations be isolated from the Internet. I don’t have to take over your SCADA network if I can take over the workstation and do whatever I want when you aren’t looking. We were planning on highlighting a few other attack vectors in the next few days. Among them was a fake pretexting of Chris’s phone (we had a viable way for me to get his SSN) and username/password sniffing from wireless access points. All are common vectors that even us security pros are a little lax with sometimes. I suspect most of you enjoyed this, and we’ll come up with something more creative for April 1. Share:

My second monthly column is up over at Dark Reading; The Perils of Predictions & Predicting Perils. This is not your ordinary year-end prediction special. Here’s an excerpt: As the end of the year approaches, a strange phenomenon begins. As we relax and prepare for the holidays, we feel a strange compulsion to predict the future. For some, this compulsion is so overwhelming that it bursts the bounds of late night family dinners and explodes onto the pages of blogs, magazines, newspapers and the ever-dreaded year-end specials on TV. Ah, year’s end. Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein. As you can tell, I’ve never been the biggest fan of these year-end predictions, especially in the security business. Since the days of the slide rule, scores of pundits have consistently, inaccurately predicted a devastating SCADA attack or the next big worm. Instead, I focus on two major threat trends and the security innovation they are inspiring. My favorite line in the column is near the end, so I’ll pull it out: Vulnerability scanning, secure software development, and programmer security training cannot solve the Web application security problem. I’ll leave you with two words: anti-exploitation, but you should really go read the article. Share:

Here I am, about 30 hours away from home, and my home automation system is freaking out. Why does stuff like this only happen when I’m on the road? Time to whip out my copy of How To Prepare For The Robot Uprising. I guess I know what I’ll be fixing this weekend… Share: