Even after processes are shored up, there will still be a need to prioritize what needs to be fixed next. Hopefully, with vetted and working processes backing up remediation efforts, this clean up will be manageable.
What to do next? Overwhelming operational areas with a giant list will only create a log jam. But, if we're focused on finding every weakness and trying to establish priorities, is that doing the same to TVM groups?
2014-07-01
Stop using your vulnerability scanner for patch auditing!
Patch auditing is important, and you should do it, but your vulnerability scanner or sevice can (and should) do so much more.
Patching is designed to address the things you know about (or should know about). What about the things you haven't considered?
At first, this sounds counter-intuitive, but consider the goal for doing a vulnerability scan: to identify unaddressed weaknesses. If you have a patch management program, you already know about patches. If it has gaps, you need to know that, of course. But, what about security baselines? If you focus on auditing your patch management to the exclusion of all else (the noisiest aspect of vulnerability assessment), you run the risk of exposure due to misconfigurations that can be far worse than the patches you've missed.
Patching is designed to address the things you know about (or should know about). What about the things you haven't considered?
At first, this sounds counter-intuitive, but consider the goal for doing a vulnerability scan: to identify unaddressed weaknesses. If you have a patch management program, you already know about patches. If it has gaps, you need to know that, of course. But, what about security baselines? If you focus on auditing your patch management to the exclusion of all else (the noisiest aspect of vulnerability assessment), you run the risk of exposure due to misconfigurations that can be far worse than the patches you've missed.
2014-06-30
How do I prioritize what to fix?
I spent about six years in vulnerability management before I decided to go be a penetration tester. I was frustrated by having to rely on the analysis of others, and on generalized guesswork to determine what made the biggest threat to the organization. I thought that being able to focus on security research and practical penetration would open my eyes to the realities of offense in a way that would help me make the most sense of security as a discipline.
What I found out was enlightening.
What I found out was enlightening.
2014-05-18
CarolinaCon X Crypto Challenge Writeup
This year, I offered to run the crypto challenge at CarolinaCon X. I was offered the advice that very complex challenges were often met with frustration during the conference and it was requested that I make something that didn't require advanced mathematical degrees or a history of working with the NSA to solve ;)
This year, I offered to run the crypto challenge at CarolinaCon X. I was offered the advice that very complex challenges were often met with frustration during the conference and it was requested that I make something that didn't require advanced mathematical degrees or a history of working with the NSA to solve ;)
With that in mind, Jaku and Ryan Linn were both very generous and offered to help me.
The below post is a writeup of the challenge, how it went, a solution, and some lessons learned. Don't scroll past the writeup header if you don't want spoilers.
2014-04-14
Personalizing Data Security Part 3
In parts 1 and 2, we talked about various forms of security testing and evaluation by telling a story about a concerned parent purchasing (and evaluating) a car for the newly licensed teenaged daughter. Now, let's talk about the mechanic for a bit.
You, fortunately, have
had a car before, and have had the opportunity to work with this
mechanic before. He set your expectations, you’ve seen what he’s done
before, and you generally have good reasons to trust
him because you know what you want is what he is going to give you.
You’ve already got a mutually established language. His services are
clearly defined. You know what to expect.
What if you’ve never
had a car before, and you don’t know any mechanics?
Personalizing Data Security Part 2
Previously, we created a story that aligns data security with buying the best car for your only teenaged daughter. Now, let's explore the choice between vulnerability assessment and penetration testing - the consequences of your decision as a parent and car buyer.
Since you're tight on budget, you decide it's best to go with the thorough once-over. After all, if you opt for the test drive, you aren't going to find everything that's wrong, anyway. Your goal is to figure out how you should best spend your money now that you know your car has some flaws. Your objective is to figure out which flaws are the most serious, and address them with your wallet.
Personalizing Data Security Part 1
The problem with data security is that it isn't personal. Those who have the responsibility for security often don't have a personal stake. Sometimes, the issue is with jargon. So, let's have story time. What if your environment were a car? What if it wasn't someone else's data, but your child?
Let’s say you are a
concerned parent. Your only daughter has just turned old enough to have
her first car. You have shopped around for the right car to meet your
needs and your budget, and you’ve bought something. But, now you need to make sure it’s safe. Not only does the law
require you to meet certain requirements of auto safety, but would you
feel terrible if something bad happened to your only daughter because
you chose poorly? What about all of her friends
who ride with her, and all the other people on the road?
2014-03-24
Understanding, Underachievement, and the Impact of Conformity
Work smarter, not harder does not mean you can replace all your smart employees with tools and cheap button clickers. The fallacy is, tools are not a 1:1 replacement for people. You have the cost of the tool, the cost of the people who use the tool, and the cost of the people who install, maintain, and support the tool.
You can attract the right talent if you pay them what they are worth, treat them with respect, and enable them to support your organizational mission. Consider that as an alternative to silver bullet solutions with complex back ends and major licensing fees.
I have worked within IT for nearly twenty years, and after sacrificing more of my personal life than was reasonable to long hours and countless weekends spent in support of organizational missions, I decided to stay in information technology and join the information security discipline. I did this because I wanted make things better for the millions of people who daily entrust organizations with our financial and personal details either in naiveté (that we cannot be impacted by the loss of the information we share), or in the belief that these organizations are using the data we give them prudently and with due care to protect it.
You can attract the right talent if you pay them what they are worth, treat them with respect, and enable them to support your organizational mission. Consider that as an alternative to silver bullet solutions with complex back ends and major licensing fees.
I have worked within IT for nearly twenty years, and after sacrificing more of my personal life than was reasonable to long hours and countless weekends spent in support of organizational missions, I decided to stay in information technology and join the information security discipline. I did this because I wanted make things better for the millions of people who daily entrust organizations with our financial and personal details either in naiveté (that we cannot be impacted by the loss of the information we share), or in the belief that these organizations are using the data we give them prudently and with due care to protect it.
2014-02-20
The Singularity
Every now and then, the conversation resurfaces: when will The Singularity occur, and what will we do when it happens?
A basic question about it is, if only the most talented of us are worthy of power, money, and recognition, and if those things are directly related to quality of life, is it ever in our best interest to enable programs to become better at what we do than we are? Of course this hinges on what people define as talent and worth. In business, value is often determined by rarity of skillset, where rarity is diffused by the availability of less expensive alternatives.
It's an important question for technologists, because most of us have spent our careers writing clever scripts or programs to do the tedious parts of what we do. This cleverness has led to business leaders and opportunists to encourage this trend as a means to reduce that rarity and pay less for technologists, or to justify having fewer of them.
It's a familiar argument to Infosec folks: the magic bullet application that protects all things so businesses can cut expenses on headcount.
So, with this observation, I have a proposal.
A basic question about it is, if only the most talented of us are worthy of power, money, and recognition, and if those things are directly related to quality of life, is it ever in our best interest to enable programs to become better at what we do than we are? Of course this hinges on what people define as talent and worth. In business, value is often determined by rarity of skillset, where rarity is diffused by the availability of less expensive alternatives.
It's an important question for technologists, because most of us have spent our careers writing clever scripts or programs to do the tedious parts of what we do. This cleverness has led to business leaders and opportunists to encourage this trend as a means to reduce that rarity and pay less for technologists, or to justify having fewer of them.
It's a familiar argument to Infosec folks: the magic bullet application that protects all things so businesses can cut expenses on headcount.
So, with this observation, I have a proposal.
2013-12-01
5 Questions to ask before starting a Vulnerability Management Program
Many if not most organizations are already operating at a capacity to sustain the existing work without taking on significant amounts of new work. Since a vulnerability scanning program has the potential to add quite a bit more effort, not only for your security staff but also for operations staff, this makes it fairly important to ask the right questions before you commit.
It's all about the man purse
At this point, I don't think it's unreasonable to expect that cell phones and tablets will ultimately merge into a single device, and that it will take over the role of the Roku and DVR as entertainment providers adapt to the online single-show/single-series subscriber models with devices like Chromecast bridging the gap between tiny screens and larger entertainment center experiences. More frightening is the idea that these will become the new house keys and primary home provisioning devices. Right now, people have coined the term "phablet" to describe this bizarre hybrid device, but I don't think that term is broad enough to describe what this will actually become.
2012-06-12
The New MacBook Pro
My old 17" MBP gave up the ghost recently. I had reached 98% capacity in my 120 GB drive, and my VMs were dying with Snow Leopard with only 2 GB of RAM. This was the max at the time that the model supported.
I found out from iFixit that my model could upgrade to 6 GB of memory with a manual repair. So, I did that. Then I bought a 500 GB internal drive, and put it all together. Then the logic board died. It's about $900 to replace the logic board, and even then, it's likely only a refurb.
So, I went out to look at a new Mac. Here's what I found.
This is not a hard core hardware review of the new Mac. I don't have that info. But, here are my consumer thoughts - price, upgradability, features.
I found out from iFixit that my model could upgrade to 6 GB of memory with a manual repair. So, I did that. Then I bought a 500 GB internal drive, and put it all together. Then the logic board died. It's about $900 to replace the logic board, and even then, it's likely only a refurb.
So, I went out to look at a new Mac. Here's what I found.
This is not a hard core hardware review of the new Mac. I don't have that info. But, here are my consumer thoughts - price, upgradability, features.
2012-05-14
Conference Angst
I've been to my share of InfoSec conferences, and there seems to be a universal undercurrent of dissatisfaction regardless of the conference. There are the complaints that the speakers are chosen poorly, or the content is inappropriate or unsatisfying, or the assertion that InfoSec conferences do nothing except perpetuate the echo chamber. The disconnect, in my opinion, is that conferences are rarely solution based.
These all follow the same general format that has been followed for decades: multiple "tracks" with hour long slots (occasionally a lightning talk track that enables shorter presentations), separate training offerings (normally pre-conference, or sometimes during conference as a track), sometimes a vendor room, sometimes side-events or contests, and usually some form of after party during which vendors collect leads and partygoers make connections.
Attendees may leave a presentation better informed about a topic, but most presentations are unlikely to grant new skills to the audience. Training is, for the most part, a separate goal. Presentations are frequently one way communiques designed to generate thought or debate, or introduce a new tool or methodology. But, it's rare, even at B-sides events, for presentations alone to achieve the type of engagement that results in solutions and deep collaboration.
The excuse to bring people into narrow physical proximity generates some of this synergy in the form of "hallway con." And many argue this is the real value of conferences: a 'safe' forum in which like-minded people can have informal discussions off the books that result in ideas, agreements, or collaboration that more broadly influences or improves things.
In response to the solutions disconnect, some have proposed "hack-a-thons" in which talented individuals come together for a set period of time and a specific goal to program solutions. But, this approach is likely to alienate community members who don't code, and is more likely to hinder innovation across the lines between policy/process and tools manufacture/usage.
I would like to see "tracks" around workgroups and workshops instead of presentations. Topics that are designed to bring like-minded people together to discuss and even generate solutions, or share skills. Put the power-point in an isolated track of 15-30 minute presentations designed to quickly introduce questions or ideas designed to stir innovation. Does this exist? Is there any interest in making it exist?
Attendees may leave a presentation better informed about a topic, but most presentations are unlikely to grant new skills to the audience. Training is, for the most part, a separate goal. Presentations are frequently one way communiques designed to generate thought or debate, or introduce a new tool or methodology. But, it's rare, even at B-sides events, for presentations alone to achieve the type of engagement that results in solutions and deep collaboration.
The excuse to bring people into narrow physical proximity generates some of this synergy in the form of "hallway con." And many argue this is the real value of conferences: a 'safe' forum in which like-minded people can have informal discussions off the books that result in ideas, agreements, or collaboration that more broadly influences or improves things.
In response to the solutions disconnect, some have proposed "hack-a-thons" in which talented individuals come together for a set period of time and a specific goal to program solutions. But, this approach is likely to alienate community members who don't code, and is more likely to hinder innovation across the lines between policy/process and tools manufacture/usage.
2012-03-23
The problem with certifications and CBKs
A lot of people complain that certifications demonstrate a familiarity with a Common Body of Knowledge (CBK), but that a familiarity with the knowledge does not indicate competence at applying it. In an attempt to compensate for this, some authorities have required proof of experience and professional endorsements. But, sadly, experience is not the same as competence.
Some have suggested that certification should be accompanied by monitored internships or with specific project work in order to prove competence.
But these are all missing something of the point. CBKs are good at informing a practice, but they can't teach professionals how specifically to implement a practice. Companies are too diverse. What works for a bank isn't guaranteed to work for a hospital. What works for a risk-centric security department isn't guaranteed to work for a response-mandated organization. Success implementing a risk management program in a healthcare organization is not a guarantee of success doing the same on a government contract.
CBKs define the points at which differing organizations converge, not the techniques specific individuals must use to apply the knowledge successfully in different circumstances.
Some have suggested that certification should be accompanied by monitored internships or with specific project work in order to prove competence.
But these are all missing something of the point. CBKs are good at informing a practice, but they can't teach professionals how specifically to implement a practice. Companies are too diverse. What works for a bank isn't guaranteed to work for a hospital. What works for a risk-centric security department isn't guaranteed to work for a response-mandated organization. Success implementing a risk management program in a healthcare organization is not a guarantee of success doing the same on a government contract.
CBKs define the points at which differing organizations converge, not the techniques specific individuals must use to apply the knowledge successfully in different circumstances.
2011-10-16
How bad relationships break the home
Mom complains that the door isn't locked and says Dad should lock it before he comes to bed. Dad says she's over-reacting; it's a safe neighborhood. Besides, he remembers that time she had a total meltdown because there was one tiny spider on the steering wheel in her car. Holy Christ, what a mess.
Three days later, the house gets broken into, and those photos they took as a joke on their honeymoon are missing from the safe. The head of the homeowner's association has copies, and the rest of the neighborhood is picketing on their front lawn because they want Mom and Dad out.
Mom says "I told you so." Dad blames Mom for not waking up. Mom says Dad snores like a trucker, and she had to get ear plugs years ago to get any sleep. Dad's had enough of the fighting and files for divorce. She's his third ex wife now, and he's decided that all women are insane. He's going to be better off dating casually and letting someone else deal with relationship issues.
If you don't trust the assessments of your technical resources, you should have a talk with them about why. If that doesn't work, get technical resources you can trust. If that doesn't work, be careful about going to a cloud services provider to fix all your woes. Remember, the common factor in all your failed relationships is you.
Communication and reconciliation are two way processes. It requires both parties to sit at the table. Playing "You're wrong, and I'm right" doesn't resolve any conflict, and it doesn't get you any closer to paying the bills.
Three days later, the house gets broken into, and those photos they took as a joke on their honeymoon are missing from the safe. The head of the homeowner's association has copies, and the rest of the neighborhood is picketing on their front lawn because they want Mom and Dad out.
Mom says "I told you so." Dad blames Mom for not waking up. Mom says Dad snores like a trucker, and she had to get ear plugs years ago to get any sleep. Dad's had enough of the fighting and files for divorce. She's his third ex wife now, and he's decided that all women are insane. He's going to be better off dating casually and letting someone else deal with relationship issues.
If you don't trust the assessments of your technical resources, you should have a talk with them about why. If that doesn't work, get technical resources you can trust. If that doesn't work, be careful about going to a cloud services provider to fix all your woes. Remember, the common factor in all your failed relationships is you.
Communication and reconciliation are two way processes. It requires both parties to sit at the table. Playing "You're wrong, and I'm right" doesn't resolve any conflict, and it doesn't get you any closer to paying the bills.
2011-06-14
Malware analysis
This is a pretty awesome selection of tools.
http://sempersecurus.blogspot.com/2011/06/malware-sandbox-services-and-software.html
http://sempersecurus.blogspot.com/2011/06/malware-sandbox-services-and-software.html
Subscribe to:
Posts (Atom)