TaoSecurity Blog

You may have seen stories like Cybersecurity Experts Collaborate with subtitles like A think tank has tapped several heavyweight security experts to staff a commission that will advise the president. That story continues: The Center for Strategic and International Studies (CSIS) wants the commission to come up with a list of recommendations that the new president who takes office in January 2009 "can pick up and run with right away," said James Lewis, director of the CSIS Technology and Public Policy Program. The commission, made up of 32 cybersecurity experts, plans to finish its work by the end of 2008. I am fairly confident that nothing of value will come from this group, but there is one task which could completely reverse my opinion. Rather than wasting time on recommendations that will probably be ignored, how about taking a step in a direction that will have real impact: security metrics . That's right. Spend the first day (or two, if you are a slow reader o...

I am constantly hammered for downplaying the "inside threat" and focusing on external attackers. Several months ago I noted the Month of Owned Corporations as an example of enterprises demonstrating security failures exploited by outsiders. Thanks to Bots Rise in the Enterprise , it appears the external threat is finally getting more attention: Who says bots are just for home PCs? Turns out bot infections in the enterprise may be more widespread than originally thought. Botnet operators traditionally have recruited "soft" targets -- home users with little or no security -- and the assumption was that the more heavily fortressed enterprise was mostly immune. But incident response teams and security researchers on the front lines say they are witnessing significant bot activity in enterprises as well... Rick Wesson, CEO of Support Intelligence, says the rate of botnet infection in the enterprise isn't necessarily increasing -- it just hasn't been explored i...

Are you secure? Prove it. These five words form the core of my recent thinking on the digital security scene. Let me expand "secure" to mean the definition I provided in my first book: Security is the process of maintaining an acceptable level of perceived risk. I defined risk as the probability of suffering harm or loss . You could expand my five word question into are you operating a process that maintains an acceptable level of perceived risk? Let's review some of the answers you might hear to this question. I'll give an opinion regarding the utility of the answer as well. For the purpose of this exercise let's assume it is possible to answer "yes" to this question. In other words, we just don't answer "no." We could all make arguments as to why it's impossible to be secure, but does that really mean there is no acceptable level of perceived risk in which you could operate? I doubt it. So, are you secure? Prove it. Yes. ...

The Microsoft Malware Protection Center recently published their third Security Intelligence Report . The front page of the report says An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the first half of 2007 Inside it continues: This report provides an in-depth perspective on software vulnerabilities (both in Microsoft software and third-party software), software exploits (for which there is a related MSRC bulletin), malicious software, and potentially unwanted software. The lists below summarize the key points from each section of the report... The number of disclosures of new software vulnerabilities across the industry continues to be in the thousands... Contrast that proper use of the word vulnerabilities in those excerpts with the incorrect use of the word threat in the quotes I noted in Someone Please Explain Threats to Microsoft : As you go about filling in the threat model threat list,...

I am happy to announce that progress is being made towards the release of FreeBSD 7.0. This announcement says the release cycles for FreeBSD 7.0 and 6.3 have begun. The first 7.0-BETA1 .iso's you might want to test on a fresh system have been published. The announcement says "Instructions on using FreeBSD Update to perform a binary upgrade from FreeBSD 6.x to 7.0-BETA1 will be provided via the freebsd-stable list when available." The FreeBSD 7.0 release schedule is available, and it shows FreeBSD 7.0 is scheduled for publication on 17 Dec 07. I would love to see this happen, but it's likely to take place about a month later. However, given the time between now and December, it's possible 7.0 will arrive by the end of the year. It looks like the todo list is rather small. While researching this story I found Bruce Mah's FreeBSD Release Documentation Snapshot Page . A large amount of documentation for each release is published there. When available I w...

Friday I attended an open symposium hosted by the Office of the National Counterintelligence Executive (ONCIX). It was titled Counterintelligence and the Cyber Threat and featured speakers and panels from government, law enforcement, industry, legal, and academic organizations. I attended as a representative of my company because our CSO, Frank Taylor, participated in the industry panel. If you're not familiar with the term counterintelligence, let me reproduce a section from the OCNIX Web site: Counterintelligence is the business of identifying and dealing with foreign intelligence threats to the United States. Its core concern is the intelligence services of foreign states and similar organizations of non-state actors, such as transnational terrorist groups. Counterintelligence has both a defensive mission — protecting the nation's secrets and assets against foreign intelligence penetration — and an offensive mission — finding out what foreign intelligence organizations a...

This week Brian Krebs of Security Fix wrote Shadowy Russian Firm Seen as Conduit for Cybercrime , Taking on the Russian Business Network , Mapping the Russian Business Network , and The Russian Business Network Responds . These are great articles, that, at the very least, bring a true threat to a wider audience. This Slashdot post featured a helpful thread providing some technical details on the network itself. If you would like to try identifying some of the networks involved, my post Routing Enumeration might be helpful. Searches via RIPE could also be illuminating. While researching this post I found a few other incredible resources. First, there's a blog -- rbnexploit.blogspot.com -- that started last month. It's exclusively about RBN. Second, I found Nicholas Albright's blog , which covers botnets. Third, there's an absolutely amazing series of articles by Scott Berinato . They are lengthy but definitely worth reading.

Amazon.com just posted my three star review of LAN Switch Security: What Hackers Know About Your Switches . From the review: I really looked forward to reading LAN Switch Security (LSS), simply because it covered layer 2 issues. These days application security, rootkits, and similar topics get all the press, but the foundation of the network is still critical. Unfortunately, LSS disappointed me enough to warrant this three star review. I'm afraid those before me who wrote five star reviews 1) don't read enough other books or 2) don't set their expectations high enough. The bottom line is that if you want to read a good Cisco security book, the best available is still Hacking Exposed: Cisco Networks .

I've been given a press pass to attend CSI 2007 in Washington, DC, 3-9 November 2007. In exchange for posting the following, I've also got a $100 discount for anyone using the code CSI2007. CSI Annual Conference 2007 November 3-9, 2007 Hyatt Regency Crystal City Arlington, Virginia www.CSIAnnual.com CSI 2007, held November 3-9 in Arlington, VA, delivers a business-focused overview of enterprise security. 2,000+ delegates, 80 exhibitors and features 100+ sessions/seminars convene to provide a roadmap for integrating policies and procedures with new tools and techniques. Register now using code: CSI2007 and save $100 off the conference or get a Free Exhibition Pass at www.csiannual.com. If you think it's not worth $100 to my readers to see the previous text, how about this: I have two free full conference passes (together worth over $3000), courtesy of CSI, to be awarded to blog readers. How do I decide who should get them? I'm going to hold an essay contest. The t...

This week I attended Victory in Cyberspace , an event held at the National Press Club . It centered on the release of a report written by http://www.irisresearch.com/grant.html">Dr. Rebecca Grant for the Air Force Association 's Eaker Institute . The report is titled Victory in Cyberspace (.pdf). The panel (pictured at left) included Lt. Gen. Robert J. Elder , Lt Gen. (ret) John R. Baker , and Gen. (ret) John P. Jumper . Dr. Grant is seated at the far right. As far as the event went, I found it interesting. If you are exceptionally motivated you can download the entire 90 min briefing in .wmv format here . I'd like to share a few thoughts. First, I was impressed by all the speakers. Lt. Gen. Baker led AIA when I was a Captain there. At the same time Gen. Jumper led Air Combat Command, before becoming Chief of Staff. I learned Lt. Gen. Elder has a PhD in engineering. Lt. Gen. Elder commented that cyberspace is a domain similar to the ocean, and he specifically...

If you read The Doomsday Clock you probably recognize I have a dim opinion of "expert opinion," especially by committee. At the risk of making a political statement, I rank expert opinion alongside central planning as some of the worst ways to make decisions -- at least where a large amount of complexity must be accommodated. What is my alternative? I believe free markets are the best way to synthesize competing data points to produce an assessment. Does this sound familiar? If yes, you may be thinking of this 2003 story: The Case for Terrorism Futures : Critics blasted policy-makers Tuesday for dropping a controversial plan to create a futures market to help predict terrorist strikes... [S]upporters of the project point out that gathering intelligence is often a messy business, with payoffs to unsavory characters and the elimination of potential adversaries. The futures market, ugly as it may sound, doesn't involve any of those moral compromises, said Robin Hanson, ...

Tonight I finished watching a show called The Doomsday Clock , on the best TV channel (the History Channel , of course). I was vaguely aware of the clock, maintained by the Bulletin of the Atomic Scientists , but I didn't know the history of the project. According to Minutes to Midnight : The Bulletin of the Atomic Scientists’ Doomsday Clock conveys how close humanity is to catastrophic destruction--the figurative midnight--and monitors the means humankind could use to obliterate itself. First and foremost, these include nuclear weapons, but they also encompass climate-changing technologies and new developments in the life sciences and nanotechnology that could inflict irrevocable harm. Interesting -- you know what this is? It's a risk assessment . In my first book I defined risk as the probability of suffering harm or loss. The Doomsday Clock supposedly displays how close we are to world-ending catastrophe. I find two aspects of the clock appealing. First, as depicted by...

A few weeks ago I recommended security people to at least Be the Caveman and perform basic adversary simulation / red teaming. Now I read Australia's top enterprises hit by laymen hackers in less than 24 hours : A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed. The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet. The students - predominately law practitioners - were given 24 hours to breach security infrastructure on each site and were able to access customer financial details, including confidential insurance information, on multiple occasions. High-level business executives from the companies surveyed, rather than IT staff, were informed of the tests so the "day-to-d...

Amazon.com just published my five star review of Security Data Visualization by Greg Conti . From the review : Security Data Visualization (SDV) is a great book. It's perfect for readers familiar with security who are looking to add new weapons to their defensive arsenals. Even offensive players will find something to like in SDV. The book is essentially an introduction to the field, but it is well-written, organized, and clear. I recommend all security analysts read SDV. I give five star reviews to books that meet certain criteria. First, the book should change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference. Although I have been a security analyst for ten years, I have little visualization experience. Author Greg Conti spent just the right amount of time explaining the field, describing key terms (preattentive processing, occlusion, brushing) and displays (star plots, small multiples, TreeMaps)....

One of my three basic security principles is advanced intruders are unpredictable. Believing you can predict what intruders are going to do next results in soccer-goal security . As I said in Pescatore on Security Trends , advanced attackers are digital innovators. I think I will start calling advanced intruders intrupreneurs . I just read and watched great examples of this principle in action courtesy of pdp at CITRIX: Owning the Legitimate Backdoor . I recommend reading the post and watching the two videos . If you are practicing Network Security Monitoring I recommend querying your session data for all incoming Citrix traffic, for as far back as you have stored, for unusual or unexpected activity. If you are not practicing NSM already I suggest beginning emergency NSM to watch your Citrix servers. It's important to realize that you may not even know you have certain Citrix servers active on your network. The flip side of the intruders are unpredictable principle is th...

I just noticed that Russ McRee published an article on Network Security Monitoring and Sguil by discussing Knoppix-NSM in the October 2007 Information Security Magazine titled Putting Snort to Work . I really enjoy Russ' Toolsmith articles in the ISSA Journal .

It's 2007 and some people still do not know the difference between a threat and a vulnerability. I know these are just the sorts of posts that make me all sorts of new friends, but nothing I say will change their minds anyway. To wit, Threat Modeling Again, Threat Modeling Rules of Thumb : As you go about filling in the threat model threat list, it’s important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer’s machines aren’t compromised. When we’re deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage. When we’re threat modeling, we should ensure that we’ve identified as many of the potential threats as possible (even if you think they’re trivial). At a minimum, the threats we list that we chos...