TaoSecurity Blog

Some of you who rely on various system and application logs might take exception to my emphasis on interpreting network traffic. You might think I am "anti-log." That is absolutely not true. I will demonstrate a case that shows I appreciate logs in certain situations. Last night I was analyzing alert data collected from one of the customers I monitor. One of the Snort alerts I saw (a bleeding-exploit.rules entry) indicated BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit . This did not look promising, especially since I was not flooded with these events. In other words, if I had seen 100, I would not be 100 times more worried than if I saw only one alert. The fact that I was investigating a single alert made me think this signature might be deadly accurate. I am not going to walk through the entire investigation for this event. Suffice it to say I wanted to know if the victim system was truly exploited. I eventually found myself looking at transcripts of traffic and ...

The other day I posted I Am Not Anti-Log . I alluded to the fact that I am not a big log fan but I do see the value of logs. This post will give you an indication as to why I prefer network data to logs. Yesterday morning I installed OSSEC on the one system I expose to the Internet. OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity. The system on which I installed OSSEC only offers OpenSSH to the world. Therefore, you could say I was surprised when the following appeared in my Gmail inbox this morning: OSSEC HIDS Notification. 2007 Feb 02 06:25:01 Received From: macmini->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user sucessfully logged to the system." Portion of the log(s): Feb 2 06:25:01 macmini su[14861]: (pam_unix) session opened for user nobody by (uid=0) I don't know what that means, but I don't feel good about it. At this point I know what everyone i...

After Black Hat I've been thinking of how to address gaining insight into the security state of the enterprise. My first book addressed how to detect and response to intrusions using traffic sources in the form of network security monitoring. I've talked about gaining pervasive network awareness several times as well. Recently I've talked about security application instrumentation and several times over the years I've discussed why I am not anti-log . I am beginning to formulate my thoughts on what I'm calling Pervasive Security Monitoring . I don't have a formal definition yet, but the concept will extend past NSM data sources (traffic) into reports on the state of platforms, OS, applications, and data. The dictionary definition , to become spread throughout all parts of , captures the concept fairly well at this stage. I noticed Cisco and a few others used the term pervasive security awareness , but it's used as a way to encourage employees to be...

I read Anton Chuvakin's post MUST READ: Best Chapter From “Beautiful Security” Downloadable! with some interest. He linked to a post by Mark Curphey pointing out that Mark's chapter from O'Reilly's new book Beautiful Security was available free for download in .pdf format. O'Reilly had been kind enough to send me a copy of the book, so I decided to read Mark's chapter today. I found the following excerpts interesting. Builders Versus Breakers Security people fall into two main categories: Builders usually represent the glass as half full. While recognizing the seriousness of vulnerabilities and dangers in current practice, they are generally optimistic people who believe that by advancing the state they can change the world for the better. Breakers usually represent the glass as half empty, and are often so pessimistic that you wonder, when listening to some of them, why the Internet hasn’t totally collapsed already and why any of us have money left unpilfe...

Last year I mentioned ModSecurity in relation to a book by its author. As mentioned on the project Web site, "ModSecurity is an open source web application firewall that runs as an Apache module." In a sense Apache is both defending itself and reporting on attacks against itself. I consider these features to be forms of security application instrumentation . In a related development, today I learned about PHPIDS : PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending...

I read Rik Farrow's Musings (.pdf) in the latest USENIX ;login: and noticed this section: [Rik read] an amazing paper by Chad Verbowski... of Microsoft Research... Flight Data Recorder (.pdf) (FDR) (say, haven’t I heard of another similarly named software project?) has the goal of capturing configuration and file changes from Microsoft systems and will be shipped with Windows Vista. Using a time window of only 6 ms, FDR captures all changes to system configuration–related registry entries and files, saves the log locally, then cleverly compresses it, without losing any interesting data, before uploading the compressed logs to a server. The goal was to capture data from thousands of servers while using less than 1% of network bandwidth, with a less than 20 MB/day logfile per system that can be analyzed in 3 seconds. Sounds unbelievable, but FDR manages to compress each event into an average of 0.7 of a byte. The motivation for this clever work was the discovery that 33% of system outag...

Earlier today I read a post by Dave Aitel to his mailing list titled  Drinking the Cool-aid . Because it includes a chart you should review, I included a screenshot of it in this blog, below. Basically Dave lists several gross categories of defensive digital security technology and tools, then lists what he perceives as deficiencies and benefits of each. Embedded in these pluses and minuses are several tactical elements as well. Please take a look at the original or my screenshot. I had three reactions to this post. First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology. Second, staying within the realm of tools and tactics, Dave i...

This morning I attended a call discussing the new Verizon Business 2008 Data Breach Investigations Report . I'd like to quote the linked blog post and a previous article titled I Was an Anti-MSS Zealot , both of which I recommend reading in their entirety. First I cite some background on the study. Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported. The Verizon Business 2008 Data Breach Investigations Report contains first-hand information on actual ...

Recently I reviewed the new Syngress Nessus book , after installing Nessus 2.2 using the security/nessus FreeBSD port. Yesterday Tenable Network Security relaunched the Nessus home page . The author of the Nessus vulnerability scanner is Renaud Deraison, who co-founded Tenable and currently serves as Chief Research Officer there. Tenable formally supports the development of Nessus. Along with a sharp new Web design and the release of Nessus 2.2.1 , the site announced a new policy on plug-ins. Plug-ins are code written in the Nessus Attack Scripting Language (NASL) which perform vulnerability checks. Tenable is offering three feeds for Nessus plug-ins: The Direct Feed "is commercially available [and] entitles subscribers to the latest vulnerability checks," immediately. It costs $1200 per scanner per year. The Registered Feed "is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed." ...

My post on the IETF Network Endpoint Assessment Working Group elicited a comment that suggested I expand on my thoughts, namely that Cisco Network Admission Control (NAC) / Microsoft Network Access Protection (NAP) / Trusted Network Connect (TNC) "are all fighting the last war." Let's see what the comment poster's own company has to say about NAC. (Please note that although I use NAC in the text that follows [as used by my sources], I could just as easily say NAP or TNC or NEA. I only single out Cisco because they are investing so much effort into NAC.) Network Admission Control (NAC), a set of technologies and solutions built on an industry initiative led by Cisco, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and P...

You knew I had risk on my mind given my recent post Economist on the Peril of Models . The fact is I just flew to Chicago to teach my last Network Security Operations class, so I took some time to read the Risk Management Insight white paper An Introduction to Factor Analysis of Information Risk (FAIR) . I needed to respond to Risk Assessment Is Not Guesswork , so I figured reading the whole FAIR document was a good start. I said in Brothers in Risk that I liked RMI's attempts to bring standardized terms to the profession, so I hope they approach this post with an open mind. I have some macro issues with FAIR as well as some micro issues. Let me start with the macro issue by asking you a question: Does breaking down a large problem into small problems, the solutions to which rely upon making guesses, result in solving the large problem more accurately? If you answer yes, you will like FAIR. If you answer no, you will not like FAIR. FAIR defines risk as Risk - the probable f...