TaoSecurity Blog

I am fairly excited by several new books which arrived at my door last week. The first is Security Data Visualization by Greg Conti. I was pleased to see a book on visualization, but also a book in visualization in color! I expect to learn quite a bit from this book and hope to apply some of the lessons to my own work. The next book is End-to-End Network Security: Defense-in-Depth by Omar Santos. This book seems like a Cisco-centric approach to defending a network, but I decided to take a look when I noticed sections on forensics, visibility, and telemetry. The author includes several diagrams which show how to get information from a variety of devices in a manner similar to NSM. I hope to be able to operationalize this information as well. The last new book is LAN Switch Security: What Hackers Know About Your Switches by Eric Vyncke and Christopher Paggen. This book looks really interesting. It is probably going to be my favorite of these three. I don't spend much ti...

One more thought before I retire this evening. I really enjoyed reading Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. Here are my favorite excerpts. IT security has traditionally referred to technical protective measures such as firewalls, authentication systems, and antivirus software to counter such attacks, and mitigation measures such as backup hardware and software systems to reduce losses should a security breach occur. In a networked IT environment, however, the economic incentives to invest in protective security measures can be perverse. My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others. In economic terms, the private benefits of investment are less than the social benefits, making networked IT security a public good — and susceptible to the free-rider problem. As a consequence, private individuals and org...

I'm continuing to cite the Fifth Annual Global State of Information Security : Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend. The IT department wants to control security again. In the first year of collaboration on this survey, CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security. The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project — which might slow down the project and add to its cost — he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow." Ouch. CIO continues: What...

CIO Magazine's Fifth Annual Global State of Information Security features an image of a happy, tie-wearing corporate security person laying bricks to make a wall, while a dark-clad intruder with a crow bar violates the laws of physics by lifting up another section of the wall like it was made of fabric. That's a very apt reference to Soccer Goal Security , and I plan to discuss security physics in a future post. Right now I'd like to feature a few choice excerpts from the story: Awareness of the problematic nature of information security is approaching an all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate. Surprisingly, however, enterprise security isn't improving ... Are you feeling the disquiet that comes from knowing there's no reason why your company can't be the next TJX? The angst of knowing that these modern plagues — these spam e-mails, these bots, these rootkits — will keep comi...

I got a chance to read a new paper by one of my three wise men ( Ross Anderson ) and his colleague (Tyler Moore): Information Security Economics - and Beyond . The following are my favorite sections. Over the last few years, people have realised that security failure is caused by bad incentives at least as often as by bad design. Systems are particularly prone to failure when the person guarding them does not suffer the full cost of failure... [R]isks cannot be managed better until they can be measured better. Most users cannot tell good security from bad, so developers are not compensated for efforts to strengthen their code. Some evaluation schemes are so badly managed that ‘approved’ products are less secure than random ones. Insurance is also problematic; the local and global correlations exhibited by different attack types largely determine what sort of insurance markets are feasible. Cyber-risk markets are thus generally uncompetitive, underdeveloped or specialised... One of the...

While flying to Los Angeles this week I read a great paper by Microsoft and Michigan researchers: Reclaiming Network-wide Visibility Using Ubiquitous Endsystem Monitors . From the Abstract: Network-centric tools like NetFlow and security systems like IDSes provide essential data about the availability, reliability, and security of network devices and applications. However, the increased use of encryption and tunnelling has reduced the visibility of monitoring applications into packet headers and payloads (e.g. 93% of traffic on our enterprise network is IPSec encapsulated). The result is the inability to collect the required information using network-only measurements. To regain the lost visibility we propose that measurement systems must themselves apply the end-to-end principle: only endsystems can correctly attach semantics to traffic they send and receive. We present such an end-to-end monitoring platform that ubiquitously records per-flow data and then we show that this approach ...

I just read a great story by InformationWeek's Sharon Gaudin titled Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services : Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes. Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell them through a separate company. While prosecutors call co-conspirator Edwin Pena the mastermind of the operation, Moore acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world. "It's so easy. It's so easy a caveman can do it ," Moore told InformationWeek, laughing. "When you've got th...