March 2008 Archives

I live on Long Island, and depending on the wind, right under the final approach paths for John F Kennedy International Airport. The planes pass overhead when their landing gears are extending, which means that they are low and noisy.

While laying in bed, I was listening to them and I could not help but think that a pilot's job must be very similar to that of a security professional. Professional pilots on modern airplanes do not spend the majority of their time flying the plane. Instead, they are constantly running through scenarios. What can go wrong in the next 20 minutes? If it happens, what do I do? What is the closest alternative airport to which I can go in case of trouble? What do I do if I hit wind shear on my final approach to the runway? Are my instruments giving me correct readings? Am I following the directions of the air traffic controller?

The Internet Storm Center has an interesting diary entry today. Maarten van Horenbeeck discusses targeted malware that scans the compromised host for encryption keys and also includes a key logger to retrieve passphrases.

This is scary stuff; when an attacker is able to obtain both the secret key as well as they key phrase, non-repudiation cannot be guaranteed anymore. If this kind of malware spreads widely, it might even undermine the--rather minimal--level of trust that currently exists on the internet. After all, if an attacker can go after secret keys, they can also go after SSL certificates (most of which are not even password-protected , so the need for a key logger is not even there).

I am very fortunate in that I will be teaching an undergraduate-level class on computer security this fall. This is a class for computer science students with a technical interest, and not so much a business focus.

When I was a student in college, I avoided many classes because of a number of reasons. Some of them were simply way too early (what student can pay attention at 7.45am?!), and others were on topics that I did not find all that interesting. However, the biggest turn-off was when a teacher opened the first class of the semester with a statement similar to "There is nothing I am going to tell you in the lectures that is not also in your books". Great. Why am I sitting through hours of boring agony when all that material is also in a book that I can study when it suits me best? More often than not, questions that might arise during lectures of this type are not answered sufficiently anyway. In my opinion, a lecture that merely summarizes a book's content, without adding insights to it or without enriching the "learning experience" should be made illegal.

If you are an old school hacker or old school security professional, I'm going to be upfront with you. Old school hacking is dead, network hacking is dead, firewalls are useless and AV software is a mere redundant software package that underlines your frustration and ignorance about contemporary hacking. Defense in depth is deceased since the nineties and it will never come back. The Internet is operated with knowledge that stems from the late eighties and nineties. All you learned about the Internet from the seventies 'till the late two thousandths is dead. It is no longer the landscape we work on. It is no longer the Internet of today, it is certainly not the Internet of tomorrow. It belongs into history books and nothing more. It is crucial to understand this. If we do not agree, the security field stays behind the facts of today.

Source: http://www.0x000000.com/?i=536

The author argues that information security should focus much more on software-based attack vectors, instead of concentrating on network and operating system attacks.

One of the responsibilities assigned to me in my current position is the development and implementation of a comprehensive information security policy. In line with the premise that what you do not know about, you cannot protect, I started with drafting an information classification policy.

In researching that policy at other organizations, most of the examples that I found focused on the well-known categories: public, sensitive, and confidential, or variations on that theme.

Note: this is a little of an unusual post for me!

Martin has always been fairly positive about the ScribeFire plugin for Mozilla Firefox. True, it has its quirks, but the plugin seems to work fairly well. I decided to also take a look at it, but was unable to get it to work at my first attempt. I just could not get my blog added to the interface, yet I am running a supported engine (Movable Type). ScribeFire insisted that I provided an invalid username/password.

Here is what I did to get it to work.

Every month, I tried to attend the meetings of the local chapter of the information system security association. Since I started attending, the topics were usually geared to management-type topics, such as legal issues, strategic outlook for the next 5 years, etc. Today's sessions was refreshingly different; the topic was ethical hacking, which seems to the be currently fashionable euphemism for penetration testing.

When people ask me what my focus area in information security is, I usually answer with "upper-tactical to mid-strategic levels" if it is someone with a business background, or "just about anything non-technical" when it is someone with a technical background. At the moment, my focus seems to be mainly in four areas: policy development, business continuity & disaster recovery, user awareness and incident management. In the past, I have done architectural work (mostly related to SIM/SIEM, NIDS/NIPS, HIPS, etc.) and lots of hands-on things (sysadmin, some packet analysis, vulnerability scanning, etc.)

The last year-and-a-half or so, I have been (too) far away from operational things, which is why I was very happy when I was given the opportunity to take some additional training. Not only does it keep me in touch with "real work", it also gives me a good refresher on what the bad guys are up to, and more specifically, HOW they do it.

Just a quick note to congratulate Adam Dodge on his new blog. Go over there and check it out.

While I often complain about the amount of spam I get, I sometimes forget about the amount of spam that I never see. Much of the spam filtering relies on statistics; a Bayesian filter will assign a spam-likelihood to a message based on the occurrence of certain phrases. The more that words like Viagra, Meds, etc., appear in a message, the more likely it is to be spam.

By telling a system when a message is Spam, it will learn and continuously improve its accuracy. At the same time, it is important to glance through the Spam folder every now to make sure that messages that are tagged as Spam are indeed so. Telling a system about these so-called false-positives is also a way to teach the system and allow it to become more accurate.

So, next time you sigh deeply to complain that a staggering 10 spam messages made it to your Inbox, remind yourself that a few hundred never made it there in the first place, and appreciate that when thousands of people cooperate (even if they do not know it), filtering can be very effective.

I have a hate/love relationship with product vendors.

Throughout my career, I have tried hard to remain vendor-neutral and technology-neutral. Getting anywhere between 5 and 10 unsolicited vendor calls a day on a bad day is not going to make me suddenly jump and buy a product, or even look at it. Instead, it is interrupting what I am doing at the time, breaking my concentration, and probably lower my willingness to listen to you.

Yet, I do realize that many of the controls that we implement as information security professionals rely on technology, or even consist of it.

Like many others, I have been a member of the Security Catalysts Community for a while. When I first joined, I did not really take advantage of my membership as much as I should have, but I have made up for it in the last few months.

When Micheal Santarcangelo started the weekly Carnivals, I was more than happy to participate. If you are not yet a member of the Security Catalysts Community, or SCC as it is lovingly known, please do pay us a visit.

Some of the topics that caught my attention in the last week were:

Safety and security are two closely related concepts. According to the Merriam-Webster dictionary:

Safety) 1 : safety regards to the condition of being safe from undergoing or causing hurt, injury, or loss

Security)1: the quality or state of being secure: as a: freedom from danger

I mentioned before that I would be attending this year's EDUCAUSE security professional's conference in Arlington, VA. The conference (May 4 - May 6) has a very interesting schedule, and I hope to meet many new people in person when I am there.

If you work in security in Higher Education, and you have not registered yet, you should really go ahead and check out the program. The conference is still accepting registrations, and the fees are very reasonable.

Today, I received the confirmation that I will be a member of next year's program committee. I am really looking forward to providing this service to the community, and I will do my best to live up to the expectations.

A Haiku: