TaoSecurity Blog

A friend of mine defending .mil pointed me towards this article by Wyatt Cash: Cyber chief argues for new approaches . The "cyber chief" in question is Air Force General Kevin Chilton , a 1976 USAFA graduate and the first astronaut to achieve four stars. I'd like to share several excerpts: The military’s commander of U.S. Strategic Command in charge of cyberspace, Air Force Gen. Kevin Chilton, warned that the underlying challenges and costs of operating in cyberspace often go unrecognized . And he proposed several measures to improve the security of the military’s non-classified networks. “The hardest thing we’re challenged to do in cyberspace,” said Chilton, isn’t defending against cyberattacks. It is “ operating the net under attack ...” “People talk about defending or exploiting cyberspace, but we don’t talk much about operating it if it’s under attack,” Chilton said. “It’s not easy work. And it’s not work to be taken on by amateurs .” Chilton argued that many of th

I've been using Splunk at work, so I decided to try installing the free version on a personal laptop. Splunk is a log archiving and search product which I recommend security professionals try. Once you've used it you will probably think of other ways to leverage its power. Anyone can use a free version that indexes up to 500 MB per day, so it's perfect for a personal laptop's logs. This machine runs Ubuntu 8.04. By default Splunk installs into /opt. Unfortunately when I built this system, I didn't create a /opt partition, and / is too small. So, I decided to create a symlink in /var/opt and accept the rest of the defaults when installing Splunk. root@neely:/usr/local/src# ls -d /opt /opt root@neely:/usr/local/src# rmdir /opt root@neely:/usr/local/src# ln -s /var/opt /opt Next I installed the .deb that Splunk provides. I've also used the .rpm on Red Hat Enterprise Linux. root@neely:/usr/local/src# dpkg -i splunk-3.3.1-39933-linux-2.6-intel.deb Selecting p

I received an email notifying me of a Webcast by SecureWorks titled Building and Sustaining a Security Operations Center . I'd like to highlight a few aspects of the Webcast that caught my attention. First, the slide below shows the functions that SecureWorks considers to be in scope for a SOC. I noticed it includes device management. I think that function is mostly integrated with regular "IT" these days, so your SOC might not have to worry about keeping security devices running. Configuration is probably best handled by the SOC however. Second, I liked seeing a slide with numbers of events being distilled into incidents. Third, I thought this slide made a good point. You want to automate the early stages of security operations as much as possible (90% tech), but the response processes tend to be very skill-intensive (which translates into higher overall salary costs, i.e., you may have fewer IR handlers, but they could cost more than the event analysts). The &qu

When I attended the FIRST 2008 conference in Vancouver, BC in June, one of my favorite talks was Threats to Internet Routing and Global Connectivity by Earl Zmijewski from Renesys . I've always liked learning about the Big Internet, where 250,000+ routes are exchanged over BGP and 45,000 updates per minute is considered a "quiet" load! I was This was the first time I heard of Pretty Good BGP , summarized by the subtitle of the linked .pdf paper: Improving BGP by Cautiously Adopting Routes.

Last week I was very happy to attend the 2008 Open Memory Forensics Workshop (OMFW) and the Digital Forensic Research Workshop . Aaron Walters of Volatile Systems organized the OMFW, which consisted of about 40 attendees and a mix of panels and talks in 10 quick afternoon sessions. My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Jesse Kornblum, Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: "I know this is an easy question for all you ' beautiful minds ,' but..." Following the OMFW, I attended the first two days of DFRWS. I thought Secret Service Special Agent Ryan Moore started the conference well by describing his investigations of point-of-sal

As an Air Force Academy cadet I was taught a training philosophy for developing subordinates. It used a framework of Expectations - Skills - Feedback - Consequences - Growth. This model appears in documents like the AFOATS Training Guide . In that material, and in my training, I was taught that any problem a team member might encounter could be summarized as a skill problem or a will problem . In the years since I learned those terms, and especially while working in the corporate sector, I've learned those two limitations are definitely not enough to describe challenges to getting the job done. I'd like to flesh out the model here. The four challenges to getting the job done can be summarized thus: Will problem . The party doesn't want to accomplish the task. This is a motivation problem . Skill problem . The party doesn't know how to accomplish the task. This is a methods problem . Bill problem . The party doesn't have the resources to accomplish the tas

I found the following insight by Ravila Helen White in Information Security and Business Integration to be fascinating: Economists figured out long ago that in order to understand the economy, they would have to employ a double-pronged approach. The first approach would look at the economy by gathering data from individuals and firms on a small scale. The second approach would tackle analysis of the economy as a whole. Thus was born micro and macro economics. We can make information security more consumable by taking a page from economics. If we divide information security in the same manner as economics (its analytical form), we get micro information security and macro information security. Micro information security is the nuts and bolts that support an organization's information security practice. It's the technology, controls, countermeasures and tactical solutions that are employed day-to-day to defend against cyber threats. It's a step-by-step examination of inform

I liked this CIO Magazine article by Chris Potts: The Limits of Running IT Like a Business : A rallying call of corporate strategies for IT in recent years has been to run the IT department "like a business." When the technology-centric first generation of IT strategies reached a point of diminishing returns, this next stage was both inevitable and beneficial.... But with these benefits come pitfalls, especially if you take the IT-is-like-a-business approach to extremes. If you've tried managing an internal IT department as a bona fide business you already know that you can't take that very far, for the obvious reason that your IT department isn't a business. It is, after all, a part of a business : a significant contributor to a value chain, not a self-contained value chain of its own. And the harder you try to create a separate value chain for IT, the harder it becomes for the IT department to become integrated with the business of which it is truly part. A stra

Is this you too? To understand what it's like to be a federal chief information security officer, consider Larry Ruffin. As CISO at the Interior Department, his job could be described as having little to do with being a chief and not much more about security. Although he regards Interior's current information security as "far from inadequate," Ruffin and Chief Information Officer Michael Howell don't have a way to check that the department's network security is configured correctly or to monitor suspicious activity on a daily basis. Ruffin also has no authority and few resources to check on the security of employees' equipment, such as laptops, workstations and servers, or to monitor specific applications. He has to rely on verbal and written promises from Interior's bureau managers that they are complying with security policies. To a limited extent, Ruffin says, he conducts on-site checks of systems, which in the end offer little insight into the s

Security person, is this you? The pressure on the risk department to keep up and approve transactions was immense... In their [traders and bankers] eyes, we were not earning money for the bank . Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. I often had calls from my own risk managers forewarning me that a senior trader was about to call me to complain about a declined transaction. Most of the time the business line would simply not take no for an answer, especially if the profits were big enough. We, of course, were suspicious, because bigger margins usually meant higher risk. Criticisms that we were being “non-commercial”, “unconstructive” and “obstinate” were not uncommon. It has to be said that the risk department did not always he

I've been writing about the proposed Air Force Cyber Command since the Spring of 2007. Since Bob Brewin broke the story that "the Air Force on Monday suspended all efforts related to development of a program to become the dominant service in cyberspace," I've been getting emails and phone calls asking if I had seen the story and what was my reaction. I provided a quote for Noah Shachtman's story Air Force Suspends Controversial Cyber Command . A story published today in the Air Force Times said: [New Air Force Chief of Staff Gen. Norton] Schwartz appeared to backtrack on the Air Force’s plan to stand up its new Cyber Command by Oct. 1. He said the mission will go forward, but that the organizational structure of the mission and how it will integrate with the Defense Department and U.S. Strategic Command are still being considered. I would not be surprised if Gen Schwartz was told to play nicely with the other services. I don't expect to see any more com

Recently I attended a briefing were a computer crimes agent from the FBI made the following point: Your job is vulnerability reduction. Our job is threat reduction. In other words, it is beyond the legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats . Therefore, we cannot independently influence the threat portion of the risk equation. We can play with the asset and vulnerability aspects, but that leaves the adversary free to continue attacking until they succeed. Given that, it is disappointing to read State AGs Fail to Adequately Protect Online Consumers . I recommend reading that press release from the Center for American Progress and Center for Democracy and Technology for details. I found this recommendation on p 25 interesting: Consumers are paying a steep price for online fraud and abuse. They need aggressive law enforcement to punish perpetrators and deter others from committing Internet crime. A number of leading

My 18th Snort Report titled The Power of Snort 3.0 has been posted. From the article: Service provider takeaway: Service providers will learn about Snort 3.0's new architecture and how it can be used as a platform for generic network traffic inspection tools. Recently, I attended a seminar offered by Sourcefire, the company that supports Snort. Marty Roesch, Snort's inventor and primary developer, discussed Snort 3.0. In this edition of the Snort Report, I summarize Marty's plans and offer a few thoughts on the direction of Snort development. Right now I am working on the next Snort Report, where I discuss how to get the latest Snort 3.0 beta running on Debian.

Please see Black Hat USA 2008 Wrap-Up: Day 1 for the first part of this two-part post. Day two of the Black Hat USA 2008 Briefings began much better than day one. Rod Beckström, Director of the National Cyber Security Center in DHS, delivered today's keynote. I had read articles like WhiteHouse Taps Tech Entrepreneur For Cyber Defense Post so I wasn't sure what to think of Mr. Beckström. It turns out his talk was excellent. If Mr. Beckström had used a few less PowerPoint slides, I would have classified him as a Edward Tufte -caliber speaker. I especially liked his examination of history for lessons applicable to our current cyber woes. He spoke to the audience in our own words, calling the US an "open source community," the Declaration of Independence and Constitution our "code," the Civil War a "fork," and so on. Very smart. For example, Mr. Beckström provided context for the photo at left of Union Intelligence Service chief Allan Pinke

Black Hat USA 2008 is over. I started the 6-day event by training almost 140 students during two 2-day editions of TCP/IP Weapons School . Both sessions went well. I'd like to thank Joe Klein and Paul Davis for helping students navigate the class entrance and exit processes, and for keeping the labs running smoothly. In the year since I posted Black Hat Final Thoughts for last year's event, a lot has happened. (I also reported on Black Hat Federal 2006 here , here , and here , and Black Hat USA 2003 . I attended Black Hat USA 2002 but wasn't blogging then.) In this post I will offer thoughts on the presentations I attended. I started Wednesday by attending the keynote by Ian Angell, Professor of Information Systems at the London School of Economics. I want that hour of my life back. Quoting philosophers, looking only at failures and never successes, and pretending your cat can talk doesn't amount to a good speech. This was a low point of the Briefings, althou

I've started writing a new series for TechTarget SearchNetworkingChannel.com called Traffic Talk . The first edition is called DNS troubleshooting and analysis . I wrote it in early June, way before Dan Kaminsky's DNS revelations, so it has nothing to do with that affair. From the start of the article: Welcome to the first edition of Traffic Talk, a regular SearchNetworkingChannel.com series for junior to intermediate networkers who troubleshoot business networks. In these articles we examine a variety of open source tools that expose and analyze different types of network traffic. In this edition we explore the Domain Name System (DNS), the mechanism that translates IP addresses to hostnames and back, plus a slew of other functions.