Recently in Security Category

This is a service announcement for product/service vendors.

As an information security executive, I appreciate all the work you do. The products and services that you develop are feature-rich and help me secure my environment, and I appreciate partnering with you to make that happen.

However, there are some rules that you need to follow:

1. Do not cold-call me and within 30 seconds ask me what my budget is. I'm not going to tell you what I am willing to pay if I don't have a previous working relationship with you and have sufficient confidence in your ability to provide me with a reasonable value proposition. I appreciate the fact that you want to make money, and it is in my best interest that you do. I realize that you will not be around the next time I need you if I do not let you make a profit. I do not mind paying for a product or service that is provided well.

2. Without having any knowledge of my environment, do not tell me that what I have been doing is ineffective and too expensive. It is an insult to my abilities to deliver value to my organization.

3. Do not claim that commercial products are always better and cheaper than open source alternatives. I realize that open source products also need to be maintained and that I need product-specific skills in order to operate them. If what you offer can be operated by somebody who's skill set is limited to operating a toaster, I probably do not want to do business with you.

4. Sometimes your call is not convenient. If I let you go to voice mail, do not call back three times in the following five minutes.

5. Don't schedule a follow-up phone call with a sales engineer if I do not explicitly agree to that.

Thank you for your attention.

It is no secret that I am a SANS mentor and a GIAC Gold adviser. Yet, I am honored and extremely pleased to recently be named a Security Thought Leader by the SANS Institute. Of course, I will do my best to live up to the (raised) expectations that comes with such a designation! Read Stephen Nortcutt's interview with me here.

WNYC, New York City's public radio station, recently ran a few items on information security. The Leonard Lopate show of January 28th (hosted by guest host Mike Pesca) featured Joseph Menn, the author of a new book called Fatal System Error. The episode is available as a podcast here and runs for about 20 minutes.

Menn also featured a few days earlier on Fresh Air, talking about the same topic. On Fresh Air, the main character in the book, Barrett Lyon, also makes an appearance. Lyon is probably most well known for having some issues with AOL downtime in the late nineties. The Fresh Air episode is available here and runs for about 30 minutes.

Both shows are worth listening to as they feature topics that are timely and, for a mainstream show, include relevant technical details. Of course, always keep in mind that both episodes feature the author of the book, who has a vested interested in selling it.

Last week was the last week of my SANS mentor class for Hacker Techniques, Exploits and Incident Handling. Hopefully my students will try out for certification and pass gloriously.

As always, we wrapped the 10-week teaching cycle up with the ever-entertaining capture-the-flag (CtF) session that really drives home a few key points. In a previous blog post (computer security badness hierarchy. January 13, 2009), I argued that when we focus on our responsibility for securing information technology (as part of a much larger socio-economic information system), information security practitioners really only have to worry about a few types of things: Bad Users, Bad Configuration, and Bad Software.

Most CtF's are completely in line with my hierarchy and by using tools such as nmap and metasploit and by leveraging exploit code that is readily available in places like the Offensive Security Exploit Database (formerly known as Milw0rm), most challenges in "hack labs" can be solved easily.

The major exploitable categories are typically credential re-use (bad users), unpatched software (bad software), running unnecessary services (bad configuration) and lack of port filtering (bad configuration), and can be found on most (if not all) enterprise networks. Of course, there are many more attack vectors (think "Web" and "end-point").

As a security practitioner, there are few tools more valuable than a well-designed and fully implemented vulnerability management program. When possible, it is nice to drop the $100K+ to purchase one of the commercial suites, but by ensuring that all your computers (servers, desktops and laptops) are configured according to a hardening template and that they receive all patches in a timely fashion is already a major gain. Put on top of that a decent (current) anti-malware package, and you have a nice start.

Do not underestimate the complexity of "just" doing this. If you haven't started this yet, get going. If you have started, but don't think you're done: welcome to the club ;)

If you are embarking on such a project, think about collecting some metrics about how well you are doing it so you can measure progress and define success. Think of numbers like: percentage of end-points that have been patched appropriately, percentage of end-points with current anti-malware software, average lag between publication of vulnerabilities and completion of roll-out, number of end-points in compliance with the hardening template, etc.