Showing posts from April, 2015

The Need for Test Data

Last week at the RSA Conference, I spoke to several vendors about their challenges offering products and services in the security arena. One mentioned a problem I had not heard before, but which made sense to me. The same topic will likely resonate with security researchers, academics, and developers. The vendor said that his company needed access to large amounts of realistic computing evidence to test and refine their product and service. For example, if a vendor develops software that inspects network traffic, it's important to have realistic network traffic on hand. The same is true of software that works on the endpoint, or on application logs. Nothing in the lab is quite the same as what one finds in the wild. If vendors create products that work well in the lab but fail in production, no one wins. The same is true for those who conduct research, either as coders or academics. When I asked vendors about their challenges, I was looking for issues that might meet the cr

Will "Guaranteed Security" Save the Digital World?

Thanks to a comment by Jeremiah Grossman on LinkedIn, I learned of his RSA talk  No More Snake Oil: Why InfoSec Needs Security Guarantees . I thought his slide deck looked interesting and I wish I had seen the talk. One of his arguments is that security products and services lack guarantees, "unlike every day 'real world' products," as shown on slide 3 at left. The difference between the products at left and those protected by security products and services, however, is that security products and services are trying to counter intelligent, adaptive adversaries. Jeremiah does include a slide showing multiple "online security guarantees" for financial services. Those assets do indeed face challenges from the sorts of adversaries I have in mind. I need to hear more about what Jeremiah said at this point, and also I need to learn more about this individual guarantees. It may be useful to look at what physical security companies offer by way of guarante

Example of Chinese Military Converging on US Military

We often hear of vulnerabilities in the US military introduced by net-centric warfare and a reliance on communications network. As the Chinese military modernizes, it will introduce similar vulnerabilities. I found another example of this phenomenon courtesy of Chinascope : PLA Used its Online Purchasing Website for its First Online Purchase Written by LKY and AEF    Xinhua reported that on, April 7, the PLA announced that five manufacturers won the bidding, totaling 90 million yuan (US$14.48 million), to supply general and maintenance equipment to the PLA. The article said that these were the first purchase orders that the PLA received since it launched its military equipment purchasing website in January. The site is at  The PLA claimed that it saved close to 12 million yuan (US$1.93 million) compared to the list price. The purchase order consisted of items such as containers for maintenance equipment and tools, gas masks, carrier cases, and arm

Network Security Monitoring Remains Relevant

Cylance blogged today about a Redirect to SMB problem found in many Windows applications. Unfortunately, it facilitates credential theft. Steve Ragan wrote a good story discussing the problem. Note this issue does not rely on malware, at least not directly. It's a problem with Microsoft's Server Message Block protocol, with deep historical roots. ( Mitigating Service Account Credential Theft on Windows  [pdf] is a good paper on mitigation techniques for a variety of SMB problems.) Rather than discussing the technical problem, I wanted to make a different point. After reading about this technique, you probably want to know when an intruder uses it against you, so you can see it and preferably stop it. However, you should be wondering if an intruder has already used it against you. If you are practicing network security monitoring (described most recently in my newest book ), then you should already be collecting network-based evidence of this attack. You could ch

Please Support OpenNSM Group

Do you believe in finding and removing intruders on the network before they cause damage? Do you want to support like-minded people? If you answered "yes," I'd like to tell you about a group that shares your views and needs your help. In August 2014, Jon Schipp started the Open (-Source) Network Security Monitoring Group (OpenNSM) . Jon is a security engineer at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign . In his announcement on the project's mailing list , Jon wrote: The idea for this group came from a suggestion in Richard Bejtlich's most recent book , where he mentions it would be nice to see NSM groups spawn up all over much like other software user groups and for the same reasons. Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. It is an operational campaign supporting a strategy of identifying and remov