Showing posts from May, 2010

National Security Strategy is Empty on "Cyberspace"

The new National Security Strategy (.pdf) says the following about "cyberspace": Secure Cyberspace Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation. The very technologies that empower us to lead and create also empower those who would disrupt and destroy. They enable our military superiority, but our unclassified government networks are constantly probed by intruders. Our daily lives and public safety depend on power and electric grids, but potential adversaries could use cyber vulnerabilities to disrupt them on a massive scale. The Internet and e-commerce are keys to our economic competitiveness, but cyber criminals have cost companies and consumers hundreds of millions of dollars and valuable intellectual property. The threats we face range from individual criminal hackers to organized criminal groups, from terrorist networks to advanced nation states. Defending against these threats to ou

Digital Security Is Not Just an Engineering Problem

Recently I participated in a small meeting involving a cross-section of people interested in digital security and public policy. During the meeting one of the participants voiced the often-repeated but, in my opinion, misguided notion that the primary problem with digital security is "design." In other words, "the Internet was not designed to be secure." If the Internet was not designed to be secure, all applications are "built on a foundation of sand" and therefore can never be "secure." This is a typical "engineering" mentality applied to digital security. I do not agree with it. You might think it's because I'm not a "professional engineer." Strangely enough, at USAFA I took classes in chemistry, physics (two courses), math (calc III and diff eq), thermodynamics, and five pure engineering courses (electrical, mechanical, civil, aeronautical, astronautical) plus the dreaded Academy "capstone" course -

"Privacy" vs "Security" or Privacy AND Security

Perhaps I'm alone on this, but I may not think of "privacy" and "security" the same way as some readers of this blog. It's common to hear that there is a tension between these two ideas, but I consider them to be very different, at least at the enterprise level. Privacy is primarily concerned with protecting customer data , often called Personally Identifiable Information (PII). Lawyers are typically the dominant players. This field is heavily regulated, with laws requiring disclosure when "records" are lost. The costs of an incident are borne primarily by the individuals whose PII was stolen. Security is primarily concerned with protecting intellectual property , often including trade secrets. Security professionals are typically dominant players. The field is less regulated, since a company loses its own IP. The costs of an incident are borne primarily by the enterprise because they become less competitive. In this sense, an enterprise

More Evidence Military Will Eventually Defend Civilian Networks

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. About one year ago I wrote NSA to "Screen" .gov Now, I Predict .com Later . Now thanks to a new article by Noah Shachtman titled Cyber Command: We Don’t Wanna Defend the Internet (We Just Might Have To) we read the following: At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated the idea that the Defense Department might start a protective program for civilian networks... “I think it’s gonna have to be voluntary,” he added. “People could opt into protection – or choose to stay out. Individual users may well choose to stay out. But in terms of protecting the nation’s security, it’s not the individual users [that matter most]. I mean, they have to worry about their individual [data], their credit rating, and all that. But it’s the vulnerability of certain critical infrastructure – power, transportation, fi

SANS WhatWorks Summit in Forensics and Incident Response

I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks great. I will offer the "Expert Briefing: CIRT-level Response to Advanced Persistent Threat" and participate on the "APT Panel Discussion." This IR event is a great precursor to my next SANS WhatWorks Summit in Incident Detection and Log Management in DC, 8-9 December 2010.

Forget Pre-Incident Cost, How Much Did Your Last Incident Cost?

I just read this great post by Rich Mogull titled FireStarter: The Only Value/Loss Metric That Matters . His basic argument, or at least the idea that I derived from it, is the following (all in my own words). So-called "risk managers" spend a lot of time imagining they can determine "annualized loss expectancy" by predicting how much an incident will cost. Forget all that nonsense. Before imaging what a future incident will cost, figure out how much your last incident cost. This is brilliant because it is so simple yet drives straight at the heart of the problem. We work incidents all the time and I can't tell you how much they cost. Think about all the factors to consider: Value of professional time of everyone who detected and responded to the incident Value of computing resources affected by the incident Value of data affected by the incident, whether disclosed, degraded, or denied Value of brand, reputation, and other "goodwill" items What

More on Black Hat Costs

About a year ago I wrote Black Hat Budgeting , explaining how an offensive security team might spend $1 million. I said "I submit that for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack." Tonight Jeremiah Grossman asked via Twitter : jeremiahg@taosecurity regarding black hat budgeting, does defense-in-depth exacerbate the value cost inequity for defenders I was tempted to squeeze some sort of reply into less than 140 characters, but decided to answer here instead. First, vulnerability research is not free. Funny enough the No More Free Bugs movement is about one year old now. Charlie, Dino, and Alex are right -- it costs real resources to find vulnerabilities in software, with the level depending on the target. Second, exploit development is not free. It is not trivial to devise a reliable, multi-target, stealthy-if-necessary exploit for a discover

Watch Your WHOIS Entries

Thanks to sites like the Sucuri Security blog, domain name administrators should be learning that it is important to watch for updates to WHOIS records. Companies like Sucuri offer such a service free for one domain but charge for additional domains while providing extended services. If you'd just like to monitor your own WHOIS records using a simple script, you can be inspired by last year's article Network-based integrity monitoring keeps website hacks in check by David Davidson. I decided to create the following simple script to watch two of my domains. richard@macmini:~/check$ cat #/bin/sh /usr/bin/whois > /home/richard/check/ /usr/bin/whois > /home/richard/check/ /usr/bin/diff -u /home/richard/check/ \ /home/richard/check/ | mail -s " whois check" /usr/bin/diff -u /home/richar

Review of Masters of Deception Posted

Image just posted my three star review of Masters of Deception by Michelle Slatella and Joshua Quittner. From the review : Masters of Deception (MOD) by Michelle Slatella and Joshua Quittner tells the tale of the self-proclaimed Masters of Deception, a phone phreaking and proto-computer hacker crew from the early 1990s. This was one of several books on the 1980s-1990s hacker scene that I recently read, but thus far I consider it the weakest. Initially I found it interesting, but as the book progressed I found the characters increasingly boring and shallow. Overall I felt the authors glamorized the lives of kids who expressed their teenage frustrations through digital means. The MOD story may sound novel to some readers, but having lived through the period in the book I can say this is one story of many that could be told.

Review of Cyberpunk Posted

Image just posted my four star review of Cyberpunk by Katie Hafner and John Markoff. From the review : Cyberpunk is a unique exploration of three distinct digital security stories. Authors Katie Hafner and John Markoff describe the histories of Kevin Mitnick and friends, Hans Heinrich Hübner and the Hannover hackers, and Robert T Morris and family. This approach is interesting because all three tales are told independently, yet key events occur within a few years of each other and some overlap... I don't usually include material beyond the first paragraph from my review announcements, but I loved these excerpts: I'd like to conclude by citing some of my favorite excerpts. First, when describing Digital's Palo Alto security, the authors write: "[I]n recognition of the open-mindedness back at corporate headquarters, the computer scientists in Palo Alto took great care to operate their precious gateway responsibly. To give the best possible oversight both for maint

Review of The Hacker Crackdown Posted

Image just posted my five star review of The Hacker Crackdown by Bruce Sterling. From the review : Bruce Sterling's book The Hacker Crackdown (THC) captures the spirit and history of the "hacker scene" in the late 1980s and early 1990s. Having lived through that period with my C-64 and first 386 PC, I thought the author accurately describes what it was like for computer users during that era. THC is one of my favorite books on hacker activity because it combines a narrative with the author's accounts of interactions with key individuals. THC expertly tells several stories from multiple perspectives -- hacker, law enforcement, security professional, telecom operator, even homeless man-on-the-street! The author also manages to not offend technically-minded readers while describing material for non-technical audiences.

Everything I Need to Know About Leadership I Learned as a Patrol Leader

This post is outside the digital security realm, but I know a lot of my readers are team members and team leaders in their technical shops. I thought it might be useful to share a few thoughts on leadership. I don't claim to be the world's best leader but I've been thinking about the topic recently. I've participated in a lot of "leadership training" over the years, in and out of classrooms. A few examples: I've attended classes at GE's Crotonville , earned a master's degree from Harvard Kennedy School (supposed home to future political leaders), led a flight in the AFCERT, served as a cadet flight commander at USAFA , and captained my high school track team. As the years have progressed I find fewer of these experiences, especially formal training, to be novel or particularly helpful. For example, I believe the approaches I brought to my USAFA experience had less to do with USAFA and more to do with what I already knew. Tonight I decided to

Papers Not PowerPoint, Plus Tips for Improvement

Recently I railed against PowerPoint . In this post I'd like to congratulate Black Hat and some of their Briefings speakers for submitting white papers, not just PowerPoint presentations. This evening while cleaning out a tmp directory I noticed a copy of a white paper by IBM's Tom Cross from Black Hat DC 2010 titled Exploiting Lawful Intercept to Wiretap the Internet . The paper describes Tom's analysis of Cisco's implementation of CALEA for law enforcement-directed wiretaps. The paper is 18 pages, but the last 3 are basically citations. It's a great piece of work which I wish I had read earlier. For me, this paper emphasized how much of a failure it is to try to deliver complicated information in PowerPoint form. I got more out of taking 20 minutes to read Tom's 15 pages of material than I could have trying to make sense out of his 41 slides. Tom is a good writer whose paper delivers solid arguments. Rather than just praise the paper and slam the Powe

Bejtlich to Speak at SANS Forensics and Incident Response 2010

I am pleased to announce that I will return for the third SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. Rob Lee sent an email stating I would be on the Advanced Persistent Threat Panel with Chris Glyer and Mike Cloppert, so I'm looking forward to participating. I might also have a solo presentation, but I haven't seen the agenda yet. This IR event is a great precursor to my next SANS WhatWorks Summit in Incident Detection and Log Management in DC, 8-9 December 2010. Update: Agenda is posted. I will participate in two panels (Network Forensics, APT) and provide one briefing (CIRT-level Response to Advanced Persistent Threat).

The Face of Information Warfare

When information warfare happens, it's possible the victims will not recognize it as "warfare." I was reminded of this yesterday during the market selloff, which may have been caused by an error in trading . I'm not saying that the market selloff was an information attack. Rather, what we saw yesterday (an example appears in the screen shot -- Proctor and Gamble down 32% in the blink of an eye) reminded me of what an information attack might look like. The NASDAQ is "recovering" by cancelling trades . However, how sustainable is that incident response? Are those who placed trades going to accept that response? In the future, what happens when traders can't trust what their systems display? I'm looking forward to seeing the outputs of any investigation into this incident.