Skip to main content

Posts

Showing posts from 2011

Get with times, decentralized security is so 2000 and late

You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications.

"Were so big we have to be decentralized"

There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.

"Our business unit is so different we need our own team"

This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.

"This is the way we have always done it here"

This is by far the weakest thing…

Shooting Blanks FTL

How many times in your career have your heard there are no silver bullets? I'm sure its been quite a few times and then some. It definitely needs to be apart of your infosec mantra to ensure people don't have a false sense of security. It should be well ingrained that [AV, FIREWALLS, IPS, PROXIES, *] don't stop sophisticated attackers. They are at best a speed bump in the road.

So what is the point of this post? I've noticed a disturbing trend in the industry of knowledgedable individuals going to the opposite of the spectrum. Instead of taking a practical approach they shoot down any security control based on its flaws. One of my favorite quotes illustrates this perfectly.

Narrator: Tyler, you are by far the most interesting single-serving friend I've ever met... see I have this thing: everything on a plane is single-serving...
Tyler Durden: Oh I get it, it's very clever.
Narrator: Thank you.
Tyler Durden: How's that working out for you?
Narrator: What?
Tyl…

CEIC 2011 Recap

After leaving a cold and rainy 50 degrees and arriving in Orlando to a warm, sunny 80 degrees, I was immediately in a better mood. The Royal Pacific venue is awesome. It's located at Universal Studios, has nice rooms and great restaurants. Registration was quick and painless with no long DefCon style lines. I was surprised a bit though that 1100 people were here as I thought the con would be a little smaller. However it doesn't feel as crowded as some others I've been to. They did mention that the amount of attendees has doubled since 2009.

I first attended an Encase Forensic v7 Preview workshop to outline what is being released in June. They have FINALLY added true multi-core, multi-threading to take advantage of good hardware. Some highlights include all modules like the ProTools Suite are now included in the base product and more noteworthy native processing for iOS, RIM, Android, and WinPhone6. There is also a new evidence format (EX01) and shiny new frontend for openin…

Containment Strategery

One of the key metrics Computer Incident Response Teams (CIRTs) often measure is time to containment. This is often seen as a way to guage the performance of the team as it tracks how long it takes to contain a compromised or infected computer from the time of reporting or detection. This number varies widely accross the companies and many simply do not have the capability or desire to record this information. I think this metric often indicates how well the CIRT team knows their environment and the maturity of their processes. So I highly recommend it be a key performance indicator in your CIRT program.

Today however I would like to specifically talk about an appropriate goal for this metric in relation to compromise by advanced external threats. So I will be excluding non-targeted malware and insider scenarios. I believe on one end of the spectrum you have teams that like to contain as soon as possible to limit any possible impact, whereas on the opposite end you have teams that like…

When to burn a Zero-Day?

So I've often heard people say "Why would you waste a Zero-day on &ltinsert something&gt?". And on the opposite end of using your Zero-day, you have the hoarders who simply collect them to keep in their back pocket. So the question remains, when is the appropriate time to actually use a Zero-day for legitimate purposes?

The primary impetus for this discussion was someone smugly claiming they would never use a zero-day in a hacking competition or CTF event. So I can understand that stance, however if your trying to win something like P0wn20wn or some other serious hacking competition why wouldn't you? Is that truly a waste of a good Zero-day if it brings you respect in the industry and potentially more consulting work? I don't believe so, however financially given the cost of exploit development it may be wasteful. I think it really depends on the exploit. I've heard that security research companies often task teams of individuals for months to years ju…

What scares you more: APT vs Anonymous vs Wikileaks?

So the past few years have been very interesting in IT security as the amount of public disclosures have increased exponentially. Victims like Google, RSA, HBGary, Bank of America, etc and consultants like Mandiant, McAfee, and Verizon Business have provided more details then ever about the serious threats facing the public and private sector. Its almost coming to the point of information overload, and that's even after weeding out the FUD and sales talk.

So as a security leader in your company what keeps you up at night? First lets define the three "threats" I'm detailing. Yes there are still plenty of other big time threats like organized crime, however I'm keeping the list intentionally small and current.

First you have our beloved APT. I hate this term, its been polluted by the originators of the term, by the people who should know better calling it FUD, and by the sales/marketing folks. But its what we have to work with. APT, has various goals, but the noisies…