March 2009 Archives

Whether or not it will prove to justify the effort, Conficker has kept many of us fairly busy over the past few weeks. When the news broke late last weekend that machines infected with Conficker were, at least for the time being, network-detectable, many vulnerability scanners have been running 24/7.

My own group was no exception; we are a paying Tenable customer and we were able to get a handle on the Nessus plugin right away.

When we had not found a single detection after scanning for nearly 24 hours, we were getting a little worried. While we believe that we are doing a fairly good job at keeping our end points patched and firewalled, it was (and still is) hard to believe that we did not have a single infection on our network.

Only a few people have the ability to make people stop in their tracks and really listen to what they have to say. Not just listening to the words that they speak, but really absorbing the things that they say is probably the best of use of time possible. Dan Geer is one of these persons.

Marcus Ranum interviewed Geer on his "Rear Guard" Security Podcast and a few points that were made stood out to me. One of the points that Geer made that somewhere in the past decade, it became far cheaper to keep data than to delete it selectively. A direct consequence of keeping more and more data is that it becomes nearly impossibly to categorize data and we increasingly rely on search to find that one bit of information that we are looking for.

Yesterday was the last mentoring session of my current SANS class. I was pleased to see the feedback that my students gave me, and I am definitely planning to do this again somewhere this Fall. Mentoring a class is very rewarding; not only does it allow you to rise above the course material in a way that is almost impossible to do when you are 'just' a student, it will also expand your professional network and expose you to different environments.

Whenever there is a gathering of like-minded individuals, the atmosphere is generally good. SOURCE Boston is no different. I arrived yesterday on a Delta Shuttle flight, which shows that air travel can indeed be pleasant and civilized. Even the TSA staff at the Marine Air Terminal at LaGuardia Airport was friendly, patient and polite. The waiting area is highly civilized and quiet, and the plane was comfortable. Every now and then, an experience like this reminds you what flying should be like.

After getting to the Seaport Hotel, check-in went flawlessly and I settled in. The opening talk in the morning was interesting and, at times, a little provocative. All in all, Peter Kuper did a good job kicking off the conference speaking on the current economic crisis, and its underlaying causes.

The first regular talk I attended was by my friend David Mortman, who spoke on the different privacy laws, and the implications that they have for information security. Anyone who knows David knows that he is an interesting person to listen to, and this was no exception. He bakes bread pretty well too.

Adam and I were up immediately following David and we spoke on why information security in higher education brings its own particular challenges to the table. While the session was not very busy (as expected), the interaction and the feedback that we got was very good and we both enjoyed it a lot. Hopefully our audience did too. The slide-deck of the presentation is available for download in case you are interested.

Next up was lunch (excellent! Probably the best conference lunch I have ever had), followed by a Adam Shostack presenting on the crisis in information security. Adam makes a strong point of the need for data in order to test hypothesis. Adam's presentation was followed by the guys from Full Scope Security on the role of client-side attacks in penetration testing.

I was unable to attend the last session of the day due to some scheduling conflicts, and as I write this, I am getting ready for the speaker's reception tonight, and the SOURCE Party immediately after.

All in all, this was a great way to open up the conference, and I was happy that I was able to make it here! I look forward to what tomorrow has to bring.

It is almost time to head home and start packing for SOURCE Boston 2009. Together with Adam Dodge, I will be presenting on Wednesday in the business track. The title of our talk is Information Security in Higher Education: Baby steps. We think we have an interesting talk lined up.

What we'll be saying in 100 words is:

Many information security best practices are barely applicable in Higher Education. Colleges are special places of learning, exploration and the open exchange of information. Through intellectual discussion and organized discourse, students and faculty convene to transfer knowledge and insight on esteemed topics.

In this special environment, employees cannot be held accountable, network users are not employees, high-speed networks have few restrictions, and intellectual property is not owned by the organization.

We will discuss some of the challenges that we encountered in the first year after dedicated information security functions were created, and we will share some lessons that we learned.

While the title is fairly specific to higher education, I hope we'll be able to add some interesting insights for those of you who are not in higher ed.

If you are going to be at SOURCE, please drop me a line and we'll try to hook up!

ENISA is the European Network and Information Security Agency. ENISA functions as a center of expertise and as a switchboard of information for best practices in network and information security.

The organization recently published a set of CSIRT training materials. The material set of material is published on the web site and makes a good read. CSIRT-specific training is not commonly available, and this is a great contribution to the security community.

I was very pleased to receive word today that I passed the Offensive Security Certification Challenge. The OSCP is probably one of the hardest hands-on technical challenges that I have taken, and I was very happy (and somewhat surprised) to learn that I passed it.

I have said it before, and I'll be saying it again:The Offensive Security classes are excellent value-for-money for any security professional who wants to further develop their technical hands-on skills.

Don't expect lots of talk about policies, governance, compliance, risk, etc., but do expect to be spending an incredible amount of (quality) time on the command prompts of both Unix-like operating systems and Windows boxes.