TaoSecurity Blog

I am pleased to announce that on Friday 19 March the Forum of Incident Response and Security Teams, or FIRST , accepted the General Electric Computer Incident Response Team, GE-CIRT , as a full member . This represents about a year of work for us. I am really proud of our team, especially since we reached initial operational capability on 1 January 2009. I would like to thank James Barlow and Rob Renew for sponsoring our application; Sarah Gori for leading our application process; David Bianco for helping Sarah with technical aspects of the process; and our security team members for assisting with meeting FIRST's criteria. If you are a member of an incident detection and response team but your team is not part of FIRST, please check out the membership process . I advocated joining FIRST for three reasons: Joining FIRST is a sign to the world that your team has reached a certain level of maturity, stability, and capability. The membership process itself will help focus your team

The April issue of Wired Magazine features an article by Noah Shachtman titled Security Watch: Beware the NSA’s Geek-Spy Complex . Noah writes: Early this year, the big brains at Google admitted that they had been outsmarted. Along with 33 other companies, the search giant had been the victim of a major hack — an infiltration of international computer networks that even Google couldn’t do a thing about. So the company has reportedly turned to the only place on Earth with a deeper team of geeks than the Googleplex: the National Security Agency... Technically, rendering this aid isn’t the NSA’s job, says Richard Bejtlich, a former Air Force cybersecurity officer now with General Electric. “But when you’re in trouble, you go to the guys who actually have a clue.” I appreciate the mention Noah! The focus of his article is as follows: [Within NSA, o]ne team wants to exploit software holes; the other wants to repair them. This has created a conflict — especially when it comes to working w

The guys at PaulDotCom posted the podcast .mp3 (39 MB) they conducted last week . It was another debate between myself and Ron Gula. We contrast control-centric and threat-centric defensive strategies, as well as discuss advanced persistent threat. Thanks for having us. I had forgotten that I was on their second show in January 2006!

My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program. I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment. Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated. Competitiveness. Please see my previous blog post. Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture. Customers. It seems rar

In my last post, Time and Cost to Defend the Town , I mentioned pondering different ways to discuss digital security with a new executive. This business leader reportedly said "every day, our businesses are competing in a global marketplace. How can we help them?" I thought about that statement and one idea came to mind: Digital security helps businesses build competitive advantage. I've decided that competitiveness is the new theme which I will use to justify my team's activities when discussing our mission with management. It seems simple and accurate to me. Capable digital security teams help businesses build competitive advantage by keeping data out of the hands of adversaries. Contrast competitiveness with two other popular paradigms for discussing digital security: ROI and risk. Imagine the following conversations. Which do you prefer? 1. "ROI-centric discussion" Security person: Hello boss. We need to implement our security program because it

Recently I guest-blogged on the importance of learning how another person thinks . This week I had a chance to apply this lesson with a new decision maker. I learned that I need to develop a way for this executive to think about our security program. I discussed the situation with my wife and she suggested focusing on cost. I thought about this a little more and realized that was the right way to approach the problem. Consider the following scenario. You're the mayor of a town. You need to decide how much of your budget to allocate to the fire department. To apply the most simplistic analysis to the problem, consider this scene. As mayor you give the fire chief a simple goal: "protect us from fires!" The fire chief asks you: "Mayor, on average, how fast do you want the fire department to respond to a fire?" I am not an expert on fighting real fires, but let's think about a range of some possible answers. Option 1. Instantly . Literally as soon as a

BT asked me to write a guest post on their blog, so I provided a new Reaction to Cyber Shockwave . I hadn't really addressed one of the main reasons why I liked Cyber Shockwave, despite the LOL-worthy "technical" aspects of the "simulation," when I wrote my first Reaction to Cyber Shockwave . Please check out the post if you'd like to read more about this. Thank you.

Earlier this month Verizon Business announced their Verizon Incident Sharing Framework (VerIS framework). This document is a means to describe digital security incidents, using four main groupings: 1. Demographics, 2. Incident Classification, 3. Discovery and Mitigation, and 4. Impact Classification. The idea is to provide a framework that incident investigators can complete for every digital security incident. Using the output, security teams can better identify trends and make recommend improved security strategies and tactics. For example, Verizon builds their Data Breach Investigation Report using data from their incident responses as formatted using the VerIS framework. Verizon asked me to participate on a "board" affiliated with this project, so you can expect to hear more from me. Verizon started a Zoho Forum to discuss the framework, but I think a Wiki would better facilitate collaboration and development of the document. At work we are working on our next ge

I am pleased to report that I've been invited to deliver the keynote at VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee for a third year and will be evaluating papers soon. Please visit my post on calls for papers for DFRWS, VizSec, and RAID. Thank you.

My appearance on OWASP Podcast 61 is available. The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate. We recorded the podcast in late January. Jim asked me the following questions: Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days? What's the difference between focusing on threats vs focusing on vulnerabilities? What is your problem with the "protect the data" mindset? What do you mean by "building visibility in"? What is your take on the Aurora/Google hack? You just tweeted that "Network Security Monitoring ideology is the proper mechanism to combat APT/APA". Do you think network IPS/IDS/WAF can help defend insecure web applications? What are the limits of Network Security Monitoring? How important a role do you think secure coding and secure software development life-cycle play in defending the enterprise? Have HIPAA, PCI, SOX and other re

I just noticed that my tenth edition of Traffic Talk , titled Pcapr.net -- where Web 2.0 meets network packet analysis , has been posted. From the article: Solution provider takeaway: Pcapr.net is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis. Not many networking solution providers are happy with the apparently limited number of network traces available for testing their products or processes. Hardly a day goes by on a network-focused mailing list without a participant asking, "Where can I download network traffic to test X?" Fortunately for anyone who wants to take network traffic exchange to a new level, Mu Dynamics has answered the call. Its Pcapr.net site is the self-proclaimed "Web 2.0 for packets." In this edition of Traffic Talk, we'll take a tour of Pcapr.net to see

In my Predictions for 2008 I wrote: Expect greater military involvement in defending private sector networks... The plan calls for the NSA to work with the Department of Homeland Security (DHS) and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the "Cyber Initiative." Now in Feds weigh expansion of Internet monitoring we read: Homeland Security and the National Security Agency may be taking a closer look at Internet communications in the future. The Department of Homeland Security's top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks. Greg Schaffer, assistant secretary for cybersecurity and communications, said in an interview that the department is evaluat

Imagine you're a martial arts student. One day you have a guest instructor, accompanied by some of his black belts. They're experts in so-called "pressure point fighting." You've heard a little of this system, whereby practitioners can knock out adversaries with a series of precise strikes that lack the power of a brute-force approach. Until today you've had no direct experience. You may be skeptical, or maybe you believe such techniques are possible. The seminar starts. You watch the guest instructor explain his techniques. He starts knocking out his black belts. Maybe you believe what you see, or maybe you don't. Then the instructor asks for volunteers, and several of your fellow students agree. The instructor knocks them all out, including a student you really trust to not "take a fall" to make the guest "look good." You ask the student "what happened?" and he replies "that dude knocked me out!" Next t

The March 2010 BSD Magazine includes an article I wrote titled Keeping FreeBSD Applications Up-to-Date . It's a sequel to my article in the January 2010 BSD Magazine titled Keeping FreeBSD Up-to-Date: OS Essentials . With these two articles published, they replace the versions I wrote in 2005. I wrote these articles to demonstrate the variety of ways a system administrator can keep the FreeBSD operating system and applications up-to-date, with examples showing commands and effects.

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. Next is Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I will be teaching TCP/IP Weapons School 2.0 . Registration is now open. Black Hat has three price points and deadlines for registration remaining. Regular ends 1 Apr Late ends 11 Apr Onsite starts at the conference Finally we have Black Hat USA 2010 Training 0n 25-28 July 2010 at Caesars Palace in Las Vegas, NV. I will be teaching two sessions of TCP/IP Weapons School 2.0 , one on the weekend and one during the week. Registration is now open. Black Hat has set five price points and deadlines for registration. Super Early ends 15 Mar Early ends 1 May Regular ends 1 Jul Late ends 22 Jul Onsite starts at the conference Seats are filling -- it pays to register early! If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative min

I'm happy to report that I will present Building a Fortune 5 CIRT Under Fire at FIRST 2010 on 16 Jun 10 in Miami, FL. I plan to attend the majority of the conference, since it is one of the few focused on incident detection and response. I hope to see you there!