Research

When it comes to logging, I won’t even step on the same court as Anton. But a couple weeks ago (while I was on the road, thus the late response) he posted on the options for database logging. It’s a good overview of using native logs and log management vs. network appliances, but he totally misses a third option. Most of the Database Activity Monitoring vendors use additional techniques, including agents, to gain a granularity that’s not supported by most native database logs (or better performance when that granularity exists). This is absolutely critical if you want to monitor SQL-statement activity; a growing security requirement. Log management won’t help you if you want to know which administrator is changing your corporate financials, detect SQL injection attacks, or alert when that call center employee drops a “SELECT CC# FROM Customers” using that ad-hoc query tool your forgot to block. There are MANY cases where log management is enough today, but I think over time we’ll all migrate to needing to know the SQL (and then correlate that with application activity). Share:

Live in Phoenix? Interested in Security? Like beer? On January 10th we’re going to revive SunSec. Keep an eye out here and I’ll post more details when we get them. Tentatively plan for 6pm somewhere in the Old Town Scottsdale-Tempe area. Share:

I have to admit, although Apple’s handling of security issues is often a train wreck, I’m still a big fan of Macs and other Apple products. I covered a lot of the firewall issues on this blog and over at TidBITS, but I was still excited when MacWorld asked me to write an article on using the Leopard Firewall. I really try to walk the middle ground when discussing Mac issues, which can tend to get a little emotional for some people. Some of my security friends accuse me of selling out when I write an article like this, while Mac zealots cry havoc at any criticism of their favorite platform. As with everything, the truth is somewhere in the middle. Apple has a long way to go with security, but we do see them taking some baby steps in the right direction. Trying to beat Apple over the head clearly doesn’t work, so I try and take a reasoned approach to criticism; giving them credit for the work they’ve done while offering specific suggestions for improvements where they fail. The truth is, even with all their faults and the critical vulnerabilities (including 0days) we’ve seen, the average Mac user is safer than the average Windows XP user as they go through their computing days. But we also need to recognize that this won’t hold true as the popularity of the platform continues to grow. We’re seeing the early signs that the bad guys are gaining interest in Macs, and there are flaws in the platform they can eventually use to cause some damage. I suspect that once this starts occurring on a large enough scale, Apple will have to respond and start adopting some of the development processes and security features we see at Microsoft. If only Microsoft would learn a little about usability from Apple… then we’d have a serious fight. Anyway, you can check it out here. Share:

Chris Hoff returned to the podcast this week to discuss the little awareness campaign we cooked up (no, he didn’t really hack me) and talk about the future of security over the next few years. I think this is one of our best episodes ever. If you’re interested in learning how us pundits look at the industry and recognize trends, you’ll want to listen to this one. Chris, Martin, and I really dig in deep on where security is headed and why. As always, you can find it at netsecpodcast.com… Share:

More on this later, but I’m starting to see the data security market splitting along two lines. One focused on protecting content in user workspaces and productivity applications. It’s starting with DLP but moving towards what I call Content Monitoring and Protection. On the other side of data security is protecting content in business applications- from your web application stack to internal applications and databases. I’m starting to call this Application and Database Monitoring and Protection, and Database Activity Monitoring is where it’s starting. Since we need definitions, here’s my first stab for ADMP: Products that monitor all activity in a business application and database, identify and audit users and content, and, based on central policies, protect data based on content, context, and/or activity. For CMP, I’m sticking with my DLP definition (DLP is a terrible term, but I’m not going to fight the market): Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis. Share:

Chris Hoff and I decided to have a little fun and fake some back and forth exploits to highlight some security risks. It’s nearing the end of the year; either crunch time for some of you, or boring time for the rest. We figured a little humor couldn’t hurt in either case. We decided to blow this open early so it doesn’t get away from us. The attack Chris described could clearly work, but I’m surprised more people didn’t pick up the holes. While I do have a home automation system (but no cameras) I don’t know of any that use SCADA-based technologies. Then again, SCADA is going all IP so it might not be a stretch to define my system that way. For the record, I use an Insteon system but haven’t finished implementation yet. Bonus points to the commenters that noticed there’s no way I’d have a yard with that much green in Phoenix. The idea of the Quicktime rtsp attack was completely real. Until Apple released the patch a day or so ago, the only defense was avoiding clicking on potentially hostile links. I trust Chris, and would click on most things he sends me. Outbound filtering (which I do one one of my machines) could block the request unless it directed me to an unusual port; something Chris is capable of. The idea of pwning my workstation is dead on- and one reason I often recommend SCADA workstations be isolated from the Internet. I don’t have to take over your SCADA network if I can take over the workstation and do whatever I want when you aren’t looking. We were planning on highlighting a few other attack vectors in the next few days. Among them was a fake pretexting of Chris’s phone (we had a viable way for me to get his SSN) and username/password sniffing from wireless access points. All are common vectors that even us security pros are a little lax with sometimes. I suspect most of you enjoyed this, and we’ll come up with something more creative for April 1. Share:

My second monthly column is up over at Dark Reading; The Perils of Predictions & Predicting Perils. This is not your ordinary year-end prediction special. Here’s an excerpt: As the end of the year approaches, a strange phenomenon begins. As we relax and prepare for the holidays, we feel a strange compulsion to predict the future. For some, this compulsion is so overwhelming that it bursts the bounds of late night family dinners and explodes onto the pages of blogs, magazines, newspapers and the ever-dreaded year-end specials on TV. Ah, year’s end. Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein. As you can tell, I’ve never been the biggest fan of these year-end predictions, especially in the security business. Since the days of the slide rule, scores of pundits have consistently, inaccurately predicted a devastating SCADA attack or the next big worm. Instead, I focus on two major threat trends and the security innovation they are inspiring. My favorite line in the column is near the end, so I’ll pull it out: Vulnerability scanning, secure software development, and programmer security training cannot solve the Web application security problem. I’ll leave you with two words: anti-exploitation, but you should really go read the article. Share:

Here I am, about 30 hours away from home, and my home automation system is freaking out. Why does stuff like this only happen when I’m on the road? Time to whip out my copy of How To Prepare For The Robot Uprising. I guess I know what I’ll be fixing this weekend… Share:

Oh no he didn’t! http://rationalsecurity.typepad.com/blog/2007/12/breaking-news-s.html I should be crossing the border back to the US in about 12 hours. Share:

Ah, the wonders of year end predictions. We just couldn’t help ourselves, so we invited Chris Hoff, our favorite prognosticator, to join us. This week focuses on the negative trends affecting security, and Chris will be joining us again next week to finish up with the positive. As always, show notes and podcast link are over at NetSecPodcast.com. Share: