Best Book Bejtlich Read in 2011

It's time to name the winner of the Best Book Bejtlich Read award for 2011!

I've been reading and reviewing digital security books seriously since 2000. This is the 6th time I've formally announced a winner; see my bestbook label for previous winners.

Compared to 2010 (31 books), 2011 saw a decrease to 22 books. Remember all reading is neither equal nor fast. When I review a book, I am sure to read it and not just skim it. For 10 books last year, I chose not to read them but to instead post impressions. Posts called "impressions" provide my sense of the book but I do not publish them in my Amazon.com reviews.

My ratings for 2011 can be summarized as follows:

• 5 stars: 10 books


• 4 stars: 7 books


• 3 stars: 4 books


• 2 stars: 1 book


• 1 stars: 0 books

Please remember that I try to avoid reading bad books. If I read a book and I give it a lower rating (generally 3 or less stars), it's because I had higher hopes.

Here's my overall ranking of the five star reviews; this means all of the following are excellent books. The links point to my reviews.

• 10. pfSense by Jim Pingle; Reed Media Services.


• 9. Beginning Visual C++ 2010 by Ivor Horton; Wrox


• 8. Windows System Programming, 4th Ed by Johnson M. Hart; Addison-Wesley.


• 7. Beginning C, 4th Ed by Ivor Horton; Apress


• 6. Robust Control System Networks by Ralph Langner; Momentum Press.


• 5. Managed Code Rootkits by Erez Metula; Syngress.


• 4. Ghost in the Wires by Kevin Mitnick and William L. Simon; Little, Brown and Company.


• 3. America the Vulnerable by Joel Brenner; Penguin Press HC.


• 2. Windows Internals, 5th Ed by Mark Russinovich, David A. Solomon, and Alex Ionescu; Microsoft Press.

And, the winner of the Best Book Bejtlich Read in 2011 award is...

• Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson; No Starch. My review said in part:
  
  Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft.

Looking at publishers, for the first year I can remember no publisher won more than one title. No Starch breaks the string of 3 straight previous BBBR victories held by Syngress.

Thank you to all publishers who sent me books in 2011. I have plenty more to read in 2012.

Congratulations to all the authors who wrote great books in 2011, and who are publishing titles in 2012!

Tweet

Telling a Security Story with Charts

The image at left appeared in the 31 December 2011 edition of The Economist magazine in the article Economics focus -- How to get a date: The year when the Chinese economy will truly eclipse America’s is in sight. It depicts 15 measurements of the US and Chinese economies, with historical and projected data. There is a version available at this page with more statistics comparing the two nations.

The Economist presents these charts for the following reason:

In the spring of 2011 the Pew Global Attitudes Survey asked thousands of people worldwide which country they thought was the leading economic power. Half of the Chinese polled reckoned that America remains number one, twice as many as said “China”. Americans are no longer sure: 43% of US respondents answered “China”; only 38% thought America was still the top dog. The answer depends on which measure you pick. (emphasis added)

The reason I like these charts is that they remind me of how many security practitioners think about "being secure." Managers likely often ask security staff "Are we secure?" The truth is there is no single number, so anyone selling you a "risk" number is wasting your time (and probably your money). However, it would be much more useful to display a chart like that created by the Economist. The security staff could choose a dozen or more simple metrics to paint a picture, and let the viewer interpret the answer using his or her own emphasis and bias.

Another reason I like the Economist chart is that the magazine built it using specified assumptions of future activity, listed in the article. If you disagree with these assumptions you can visit the second link I posted to devise your own charts. Although not shown here, what would be even more useful is showing these charts as a time series, with snapshots for January, then February, and so on. This "small multiples" approach (promoted by Tufte) capitalizes on the skill of the human eye and brain to observe and observe differences in similar objects.

If you had to pick a dozen or so indicators of security for a chart, what would you depict? The two I consider non-negotiable are 1) incidents per unit time and 2) time to containment for incidents.

Tweet

Happy 9th Birthday TaoSecurity Blog

Today, 8 January 2012, is the 9th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2843 posts later, I am still blogging. Looking at all 9 years of blogging, I averaged 315 per year, but in the age of Twitter (2009-2011) I averaged only 171 blog posts per year.

I plan to continue blogging, but I expect around the same number as last year -- somewhere in the 60 to 100 post range. I spend a lot more time expressing my views to the press and market researchers and analysts, so I'm often less inclined to do more of that in my free time through this blog. I plan to devote any decent chunks of free time to more traditional writing. I love to use Twitter for quick commentary. Thanks for joining me these 9 years -- I hope to have a 10 year post in 2013!

If you're a security blogger, and you like this blog, please consider voting for me via the 2012 Social Security Bloggers Awards. I'm nominated for "Most Educational Security Blog" and the Hall of Fame. Thank you again!

Don't forget -- today is Elvis Presley's birthday. Coincidence? You decide.

The image shows Elvis training with Ed Parker, founder of American Kenpo. As I like to tell my students, Elvis' stance is so wide it would take him a week to react to an attack. Then again, he's Elvis.

I studied Kenpo in San Antonio, TX but I'm going to try Tai Chi again, something I first practiced about 16 years ago in Billerica, MA during grad school.

Tweet

Mandiant Webinar Wednesday; Help Us Break a Record!

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011.

Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.

If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.

Tweet

Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"

I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.

David Spark asked for my "security tip for 2012," which I listed as:

Improve your incident detection and response program by answering two critical questions:

1. How many systems have been compromised in any given time period; and

2. How much time elapsed between incident identification and containment for each system?

Use the answers to improve and guide your overall security program.

Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.

Tweet

Become a Hunter

Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter":

IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.

Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider
the “self-defending network” concept to be marketing at best and counter-productive at worst. If technology and engineering aren’t the answer to security’s woes, then what is?

Download and read my article starting on page 19 for the answer! July-August 2011 issue (.pdf)
Tweet

National Public Radio Talks Chinese Digital Espionage

When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening (.mp3) or reading time.

Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies.

If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology."

James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here, e.g.:

In 1986, to meet the global challenges of new technology revolution and competition, four Chinese scientists, WANG Daheng, WANG Ganchang, YANG Jiachi, and CHEN Fangyun, jointly proposed to accelerate China’s high-tech development. With strategic vision and resolution, the late Chinese leader Mr. DENG Xiaoping personally approved the National High-tech R&D Program, namely the 863 Program.

Implemented during three successive Five-year Plans, the program has boosted China’s overall high-tech development, R&D capacity, socio-economic development, and national security.

In April 2001, the Chinese State Council approved continued implementation of the program in the 10th Five-year Plan. As one of the national S&T program trilogy in the 10th Five-year Plan, 863 Program continues to play its important role.

1. Orientation and Objectives

Objectives of this program during the 10th Five-year Plan period are to boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena; to strive to achieve breakthroughs in key technical fields that concern the national economic lifeline and national security; and to achieve “leap-frog” development in key high-tech fields in which China enjoys relative advantages or should take strategic positions in order to provide high-tech support to fulfill strategic objectives in the implementation of the third step of our modernization process.

There's more to read, but that gives you a sense of what the "letter" involves.

I hope this NPR story helps some of you realize that the China threat is not "hype." Consider Dr Lieberthal in relation to Chairman Rogers and Jim Lewis. You can decide to try to refute their positions by saying that the Chairman has "an agenda," and Mr Lewis is essentially too distant from the problem. I personally think Chairman Rogers is right on the money, but I sometimes question where Mr Lewis gets his information.

Dr Lieberthal, however, is one of the world's finest minds regarding China (Wikipedia entry), and he served in the Clinton administration. He even wrote a book on how to achieve corporate success in China (Managing the China Challenge: How to Achieve Corporate Success in the People's Republic). He is not a "China hawk" trying to start some kind of "war" with the Chinese, yet he takes the threat seriously enough to discuss the countermeasures he takes when visiting China ten times a year. Do those who doubt the China threat still believe it's all "hype"?

Tweet

Dustin Webber Creates Network Security Monitoring with Siri

Dustin Webber just posted a really cool video called Network Security Monitoring with Siri. He shows how he uses his iPhone 4S and SiriProxy to interact with his Snorby Network Security Monitoring platform.

The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering.



Later he asks Siri to tell him about "incident 15":



Near the end Dustin asks Siri if she likes Network Security Monitoring:



This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing!

Tweet

Trying NetworkMiner Professional 1.2

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008.

NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0. I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory.

The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4.



Notice that in addition to summarizing information about traffic to and from the host, in terms of packets or sessions, we also see what NetworkMiner knows about the host, like Queried NetBIOS names, Web Browser User Agents, and so on.

The following screen capture shows the Files tab. This displays all the content that NetworkMiner extracted from the traffic to the analysis workstation hard drive (or in my case, the NetworkMiner USB thumb drive).



I think NetworkMiner is pretty cool, especially given what you can do with the free version. My primary recommendation for improvement would be an interface that allows the user to easily pivot from one piece of information to the next. With the current environment, the analyst seems confined to the tab at hand. I would like to see a way to right click on an element of the displayed information and then execute a query based on my selection. It would also be helpful to be able to right click and open associated data in another traffic analysis program like Wireshark.

Thank you to Erik Hjelmvik for the opportunity to take another look at NetworkMiner!

Tweet

Thoughts on 2011 ONCIX Report

Many of you have probably seen coverage of the 2011 ONCIX Reports to Congress: Foreign Economic and Industrial Espionage. I recommend every security professional read the latest edition (.pdf). I'd like to highlight the key findings of the 2011 version:

Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

What's so significant about that section? The ONCIX is naming names right from the start, and concentrating squarely on China and Russia.

Contrast the 2011 approach with the 2008 report. If you search for "China" in the 2008 edition, you'll see only these sections in the main body of the report:

• China and Russia accounted for a considerable portion of foreign visits to DOE facilities during FY 2008.


• China continues to be a leading competitor in the race for clean coal technology.


• The DNI Open Source Center (OSC) contributes to the CI community’s effort against
  China by monitoring foreign-language publications and Web sites for indications of
  threats and sharing this information with appropriate agencies, including law
  enforcement.

That's very different from the direct approach taken in 2011. However, if you check "Appendix B: Selected Arrests and Convictions for Economic Collection and Industrial Espionage Cases in FY 2008," in the 2008 report, you find China listed as the perpetrator of 7 of the 23 cases! So, although China has been an active threat for many years, only now is the ONCIX shining the spotlight on that country (along with Russia) as primary threats to US secrets and intellectual property.

Tweet

Tao of Network Security Monitoring, Kindle Edition

I just noticed there is now a Kindle edition of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection, published in July 2004. Check out what I wrote in the first paragraphs now available online.

---

Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion -- a real compromise, not a simple Web page defacement -- you'll realize the security principles and systems outlined here are both necessary and relevant.

This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision.

Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail.

---

I wrote that eight years ago, and thankfully my concept that "prevention eventually fails" (which I coined in that book) is finally gaining ground.
Tweet