Friday, September 09, 2005

Two Good SecurityFocus Articles

I just read two good columns at SecurityFocus. The first, A Changing Landscape, is by Red Cliff consultant, fellow former ex-Foundstone consultant, and Extrusion Detection contributing author Rohyt Belani. He theorizes about the rise of client-side attacks and their effect on statistics reported by CERT/CC.

The second article is an interview with FX of Phenoelit. He discusses exploiting Cisco IOS, which is fascinating.

7 comments:

Matty said...

Here is my favorite comment:

"If someone took over your router, there is little you can do in terms of forensics. If the attacker changed the configuration, you may find it in the NVRAM. For everything else, the router must still be running. Then, you can see logged in users or go as far as inspecting the memory as hex dump. But I would say that for an average CCIE it's hard to spot an attacker on a router."

It will be easy to see how forensic analysis adapts to deal with future IOS attacks.

- Ryan

Keydet89 said...

Rohyt's article is no new revelation. Interesting presentation, nonetheless.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Matt said...

Harlan,
On the surface, you are right - attacking the user's environment rather than the information provider is certainly not new. The point that I believe that Rohyt is making is that the concept of businesses providing security services in the form of more strict two-party authentication and user education is something that has only recently begun to catch on. Financial institutions spend millions every year to maintain and audit the security of their networks to avoid large scale losses. Having made significant progress in repelling attacks of that scale, businesses are begininng to shift towards the protection of a consumer relationship. While the business can handle small scale losses with little impact, a single loss can be devastating to a consumer.

-- Matt

Keydet89 said...

Matt,

I'm sure you're right, but I'm not entirely sure that I can agree with the issue of user education. I'd comment on that in particular, but I can't do nearly as well as Marcus Ranum did in his recent editorial (on his web site at www.ranum.com). In a nutshell...it doesn't work.

Also, say hi to Jim H and BJ for me! ;-)

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Matt said...

Harlan,
I'll pass that along to the guys!

The problem that I had with Ranum's opinion is that a number of his assertions seem to suggest a somewhat sheltered view of business. He seems used to small companies that can hire to a specific skill set. He states that in his small security startup everyone who ran a Windows system knew how to secure it. It is simply not possible, nor is it likely that we will evolve into a workforce where education becomes unnecessary. I am surprised that he implies that a technical solution (filtering attachments) will solve an inherently human problem (knowing who to trust and why). This directly contradicts the general principle he hints at in the "Minor Dumbs" section regarding host vs network security. Furthermore, his past rants on patching sound a bit like a Slashdot article, full of suggestions on what to avoid running, and completely avoiding the discussion of how to adequately address the actual needs of a business. They are nice ideas - I'll give him that.

In addition to the apparently debatable points on whether employees will benefit from a bit of knowledge, training and education also provide a means to communicate corporate policy. This communication is key from a remedial standpoint as people can then be held accountable.

-- Matt

Keydet89 said...

Matt,

I agree to varying degrees with Marcus's thoughts, but for the most part, I do agree that user education hasn't worked. I think that in some cases, it does, but I've seen enough of the "I had no idea" and "I knew I wasn't supposed to click on it but I did anyway" responses where the overall effectiveness of user education hasn't been overly impressive.

Can every user install Windows? No. Should they be able to? No. In Marcus's case, he was talking about a highly specialized environment.

As far as a sheltered view of business...I'm not sure. I think we all come from different experiences, and remember that at the end of his editorial, Marcus does state that what he wrote was at least partially light-hearted. As far as the business aspect goes, I see this all the time...my wife works for a very large company, and I see the "work-arounds" the employees come up with just about every day.

I do agree with you on the point of accountability, but my experience also shows that it's extremely difficult to do that when you've got the CEO violating the policy he signed, or the Chief Legal Counsel infecting the network b/c he opened a zipped attachment from someone he didn't know, and launched the file inside. In such cases, how do you then hold Joe Regularguy accountable?

IMHO, there has to be a middle ground. Part of this requires that IT staff themselves be educated, as well...sysadmins and managers alike. Another part requires that senior managers be educated on what senior managers are supposed to do...but we're probably getting way off the beaten path here. Maybe we can pursue this over a beer sometime.

Does Jim H still keep his own private stash of coffee (high octane) in his office? How about his collection of Legos? Working in BJ's group at TDS was probably the best job I ever had...with the exception of my current employment, of course! ;-)

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

dghnfgj said...
This comment has been removed by a blog administrator.