Security vendor Sourcefire Inc. on Monday will announce a new security appliance that company executives say will make intrusion detection systems more efficient and valuable in enterprise networks. The Real-Time Network Awareness appliance combines vulnerability assessment and correlation with change management in an effort to reduce or even eliminate the false positives and negatives that plague IDS systems.
The RNA box is meant to work in conjunction with Sourcefire's Intrusion Management System, which is based on the open-source Snort IDS. The appliance starts by identifying all of the assets on a network and assessing their current state. Then, it performs continuous monitoring of the network and alerts the administrator to any changes, such as new devices coming online or unusual services being used on a server.
Saturday, May 31, 2003
Friday, May 30, 2003
Air Force Service Evaluates Patches (19 May 2003)
The Air Force has established the Enterprise Network Operations Support Cell (ENOSC), a software patch service. Patches are tested by the Air Force Computer Emergency Response Team which assesses its effectiveness and assigns it a number indicating its likelihood of interfering with other software. The patch along with that information is placed on the site and administrators can decide if it's an appropriate patch for their systems. ENOSC supports Windows 9x, NT 4.0, 2000 and XP, as well as Exchange Server and Internet Explorer. It also supports Sun Solaris and plans to add Linux and HP-UX.
This sounded suspicious to me, as the original article says:
"When a patch comes out for those OSes or applications, the Air Force Computer Emergency Response Team judges its effectiveness—that is, does it in fact fix the problem? A nine-member ENOSC team evaluates the patch’s impact on the OS and on the applications likely to be running under it."
One of my friends at the AFCERT confirmed that the AFCERT is NOT testing patches. The ENOSC performs the testing, while the AFCERT issues compliance orders. The AFCERT is not equipped to test patches, and that is not its primary mission anyway.
Thursday, May 29, 2003
I call such prospective clients HE-men (after the Hacking Exposed line of books). They are proof that a little knowledge in the wrong hands really can do a lot of damage...a ‘blind’ penetration test will take considerably longer to discover the same number of security flaws. When conducting a full-knowledge (i.e. ‘crystal-box’) penetration test, it is a simple process to indicate within a report what information was necessary to make the security findings and what level of skill or knowledge an attacker would need to exploit any vulnerabilities. Thus, a full-knowledge penetration test provides the same, or greater, level of security information for less time and cost. I would question anyone trying to sell a ‘blind’ penetration test for less than the cost of a full-knowledge penetration test.
-- end quote --
It sounds like Gunter doesn't understand the difference between a vulnerability assessment and a penetration test. He uses the latter term but describes the former. A vulnerability assessment involves discovering and documenting vulnerabilities, whether with "blind" or "crystal box" knowledge of the target. A penetration test moves beyond discovery to actual compromise, where the analyst exploits targets to gain greater access to the victim network and implement a real-world intrusion scenario. This usually tests the client's response and remediation processes. This opinion isn't just mine -- Google produced this Red Hat Security Guide and I read a recent Rik Farrow article as well.
Monday, May 26, 2003
"Gartner sees IPS as the next generation of IDS, when they're likely the next generation of firewall," says Marty Roesch, founder of Sourcefire, an IDS vendor. Roesch is also the creator of Snort, an open-source, rules-based language for writing detection signatures.
Roesch insists that IDSs and IPSs are separate technologies with mutually exclusive functions. "IPS is access control, and IDS is network monitoring. IPS is policy enforcement, and IDS is audit. It's not the IDS's job to secure your network. Its job is to tell you how insecure it is."
But Roesch's distinction may not resonate in the wider security market. "Joe Average doesn't want to monitor traffic and comb through data and make changes in rules and policies based on detected attacks," says Jeff Wilson, executive director of Infonetics Research (www.infonetics.com). "They want to stop attacks."
-- end article --
Fine -- prevention is always preferable to detection. But prevention always fails, at some point. How do you determine the scope of a compromise when your IPS fails to detect and prevent an attack? You better be able to fail back on your audit capabilities, which log what they see and make no value judgements.
Thursday, May 22, 2003
Sguil (pronounced "sgweel") is a graphical interface to snort. The actual interface and GUI server are written in tcl/tk. Sguil uses other open source software like barnyard and mysql for accessing data. The client interface provides 'hooks' to analyst tools like ethereal, tcpflow, and p0f. Sguil makes it easy for multiple analyst to work together in monitoring multiple sensors. Currently, sguil only provides an analyst interface. Sensor and rule management is forthcoming.
Sguil-0.2 includes numerous changes and bugfixes. Notable additions inlude event history, event comments, access to session data (stream4 keepstats), abuse email templates, and user accountability. See http://sguil.sourceforge.net for downloads, updated screenshots, and more info.
I typically read and review books on digital security. I bought "The Art of the Steal" (TAOTS) after being captivated by "Catch Me If You Can." TAOTS is an incredible book, but not because it is a masterpiece of English literature. Rather, TAOTS is an amazing and personalized tour of a seedy underworld where ingenuity serves evil purposes. In
Amazon.com also posted my four star review of Stealing the Network. From the review:
"Stealing the Network" (STN) is an entertaining and informative look at the weapons and tactics employed by those who attack and defend digital systems. STN is similar to the "Hacker's Challenge" books published by Osborne, although the stories are not separated into evidence and resolution sections. Rather, a collection of authors use mildly fictional tales to introduce readers to tactics and techniques used by black and white hat hackers.
Sunday, May 18, 2003
Vasiliy Gorshkov did not set out to be a thief. Relatives and friends say he had wanted to build a dot-com . . . Gorshkov, then 24, didn't have the cash. Business associates recalled that he didn't even have enough money to keep paying his four programmers. But one of those programmers, 19-year-old Alexey Ivanov, said he knew how to raise the protection money, according to lawyers familiar with the conversation. Goshkov could offer a protection service of his own. To online businesses. Six thousand miles away in the United States.
Saturday, May 17, 2003
Thursday, May 15, 2003
Wednesday, May 14, 2003
Senior detectives at Scotland Yard's Computer Crime Unit spotted 27-year-old Lynn Htun, believed to be the brains behind the infamous Fluffi Bunni hacking group, on the stand run by Insight Consulting and its business partner Siemens at the Infosecurity Europe 2003 show at Olympia, London.