Saturday, February 18, 2006

RSA Conference 2006 Wrap-Up, Part 3

This is part 3 of my RSA Conference 2006 wrap-up. I started with part 1.

Before continuing I should mention a few items relating to my previous posts. First, I forgot to say that I enjoyed presenting my talk on Tuesday afternoon. Many attendees stayed to ask questions. I ended up leaving the room about 45 minutes after my briefing ended.

Second, Nitesh Dhanjani asked me to mention his O'Reilly articles on Firefox anti-phishing and launching attacks through Tor.

Third, in his talk Nitesh referenced his article Googling for Vulnerabilities, which includes a PHP script. He also reminded the crowd of Foundstone's SiteDigger tool.

Now, on to new material. I finished Wednesday's briefings by listening to Ira Winkler, a fellow ex-intelligence professional. I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform security functions and those who perform counter-intelligence. The two are not the same. Security focuses on vulnerabilities, while counter-intelligence focus on threats. He said if an asset does not expose a vulnerability, no threat can damage it. If no threat exists, then a vulnerability cannot be exploited. This sort of discussion is the reason we need to understand the difference between these two terms, which Mr. Winkler said are often "confused." Amen.

Mr. Winkler presented the risk equation as the following: risk = asset value * (threat * vulnerabilities)/countermeasures. I like that since it is essentially asset value * threat * vulnerabilities, with a denominator of countermeasures. Since my version doesn't explicitly address countermeasures, I intend to add that in future references to the risk equation.

Speaking of real threats, he gave a few examples. I believe they are found in his books, but I am not sure. I am repeating what he said, so I hope no one is offended by these remarks. They simply represent some of what is happening in corporate America today. Mr. Winkler described a Chinese restaurant located across the street from the research and development lab of a Fortune 5 company. That company hires many people of Chinese descent. He said that restaurant featured exceedingly good food, of better quality and cheaper price than might be found in China itself.

The restaurant is operated by the Chinese government, or associates of the Chinese government. They staff the restaurant with operatives who try to befriend patrons from the R&D lab. Guess why the restaurant is happy to host company luncheons where the R&D lab discusses upcoming projects? Their meeting rooms are bugged. Mr. Winkler said this sort of corporate espionage is nothing new, and that we all need to understand that this is the way the game is played. He also said he knows people who have the job of "drinking people under the table" in order to get them to talk about their companies.

Mr. Winkler advised that companies conduct security awareness training that emphasizes these points:

  1. A company's information has value.

  2. Competitors will try to steal it.

  3. Employees should report anything suspicious.

  4. Security staff should make employees aware of the countermeasures they deploy to mitigate risk.


After talking about corporate espionage, Mr. Winkler explained how he and an accomplice were hired to steal plans to nuclear reactors from an American company. He started the operation by visiting a nearby restaurant. He searched through a bowl of business cards left by patrons at the front desk, and kept one from an employee of the company he was hired to penetrate. Using that business card, he and his accomplice were able to acquire corporate badges from the target company. They set themselves up as special assistants to the president of the company.

They next traveled to the facility that was responsible for designing nuclear power plants. He didn't even need his badge to enter the grounds, because the guard was waving everyone through the gate. Mr. Winkler asked where he could find the graphics and printing department. Why visit the engineering crew when you could get the same diagrams from the people who print them?

After spending half a day walking around asking the location of the team that printed the nuclear plant proposal, he found the right office. The employees let Mr. Winkler sit at their computers, where he proceeded to acquire the IP address of the server hosting the plans. He left and passed the information to his accomplice, who had set himself up in an empty office with intranet connectivity. After downloading the target plans, the pair noticed unauthorized access to the server from computers in India. As confirmed by this story, Mr. Winkler suspects the users of the Indian computers stole reactor plans and other sensitive data from the target company.

I found Mr. Winkler's talk highly informative, blunt, and disturbing. It was definitely worthwhile.

2 comments:

Anonymous said...

Do you have a blog post about your definitions of threat and vulnerability?

Anonymous said...

I think I found what I was looking for:
http://taosecurity.blogspot.com/2005/05/risk-threat-and-vulnerability-101-in.html