Showing posts from October, 2010

Does This Sound Familiar?

Now that over a week has passed since this Economist article was published, I wanted to cite it and ask if the problem it describes sounds familiar: Globally, shrinkage [(losses from shoplifting, theft by workers and accounting errors)] cost retailers $107 billion in the year to June . This was 5.6% less than the previous year, but still the equivalent of 1.36% of sales... When it comes to thwarting thieves, shop-owners are on their own. In most countries the criminal justice system has all but given up trying to punish shoplifters... So retailers install CCTV cameras, attach so-called electronic article surveillance tags to their wares, train their staff to spot thieves and screen workers for criminal records before hiring them. This year retailers spent $26.8 billion, or 0.34% of sales, on preventing theft. Some dismiss shoplifting simply as a cost of doing business. Yet it can be serious. Some shoplifters work in organised gangs. Some turn violent when interrupted. Some, especial

What Do You Investigate First?

A colleague of mine who runs another Fortune 10 CIRT asked the following question: Let's say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities? There are two ways to approach this problem, but they will likely converge at some point anyway: Focus on the assets. Focus on the threats. Focus on the assets means identify the most critical assets in your organization. You pay the most attention to them regardless of who you think is causing suspicious or malicious activity that may or may not affect those assets. In other words, whether you believe a mindless malware sample or an advanced threat may be affecting those critical assets, you still devote resources to collection and analysis of activity involving those assets. Focus on the threats means identifyi

FIRST Technical Colloquium Tue 2 Nov in NoVA

FIRST is holding a one-day Technical Colloquium in Herndon, VA on Tue 2 Nov 2010, organized by Jeffrey Palatt from IBM. The event is free and open to FIRST members and their guests, but seating is limited. The program features several good speakers but the interaction among the attendees is often what I like best! As you might expect the content involves detection and response to security incidents. If you are not a FIRST member but would like to see if I can sponsor you, email taosecurity at gmail dot com by Tuesday evening. Please use "FIRST TC" as the subject of the email. I will do what I can to accommodate requests, but FIRST makes the final decision concerning attendance for non-FIRST members. Tweet

Resources for Building Incident Response Teams

Recently a colleague asked me for resources for building incident response teams. I promised I would provide a few ideas, so I thought a blog post might be helpful. I figured some of you might want to add comments with links or thoughts. The CSIRT Development site is probably the best place to start. From there you can find free documents, links to classes offered by SEI on building CIRTs, and so on. I don't think you can beat that site! I don't think the resources at the FIRST site are as helpful, but the process of working toward membership is a great exercise for a new CIRT. My TaoSecurity books page lists several books which CIRTs will likely find helpful. What other resources would you suggest for someone building a CIRT? Please leave out the standard information security sites. Thank you. Tweet

Review of Professional Assembly Language Posted

Image just posted my four star review of Professional Assembly Language by Richard Blum. I reviewed one of his other books seven years ago: Network Performance Toolkit: Using Open Source Testing Tools . From the review : I read Professional Assembly Language (PAL) by Richard Blum because I wanted to become somewhat familiar with assembly language. Books like "Introduction to 80x86 Assembly Language and Computer Architecture" by Richard Detmer or "Introduction to Assembly Language Programming: From 8086 to Pentium Processors" by Sivarama P. Dandamudi seemed too dense and textbook-like to meet my needs. PAL, on the other hand, appeared very practical and focused on getting readers working with assembly language early in the text. As long as you understand the nature of PAL and the author's goals, I think you'll enjoy reading the book as much as I did. Tweet

Review of Cyber War Posted

Image just posted my four star review of Cyber War by Richard Clarke and Robert Knake. From the review : The jacket for "Cyber War" (CW) says "This is the first book about the war of the future -- cyber war." That's not true, but I would blame the publisher for those words and not the authors. A look back to 1998 reveals books like James Adams' "The Next World War: Computers Are the Weapons & the Front Line Is Everywhere," a book whose title is probably cooler than its contents. (I read it back then but did not review it.) So what's the value of CW? I recommend reading the book if you'd like a Beltway insider's view of government and military information warfare history, combined with a few recommendations that could make a difference. CW is strongest when drawing on the authors' experience with arms control but weakest when trying to advocate technical "solutions." Tweet