Branden Williams

Stay Classy, San Diego!

What was popular in January? We’re already one month down in this new year and most of us have our sites set on RSA Conference in three weeks. Let’s talk infosec!

Here are the five most popular posts from last month:

1. Myth Busting with Ben Tomhave and Corporate Responsibility with Ben Tomhave took the top two spots this month. Ben Tomhave and I got into a fun discussion over Twitter that ended up going in two directions. First, can merchants self-assess, negating the need for a QSA-lead merchant assessment?
2. Intelligence Driven Security. The latest Security for Business Innovation Council report is out, and one key indicator is that we have tuned our systems to support compliance, not security. Read this post to learn why this is a fatal flaw in your thinking.
3. Where is your Chaos Monkey? This one is in the top five for the fourth month in a row! I absolutely love that this concept is being discussed as a reality in Information Security circles. Is your company’s culture prepared to deal with incidents? Netflix has one, where’s yours?
4. We Must Hunt. In line with some of the other themes this month, I discuss the need for hunters in your information security group. If you organize your department around the “sit around and wait for an incident” plan, you end up waiting for bad stuff to happen and try to catch it before it gets worse. Actively looking for threats inside your network will shorten your kill-chain exposure.

Thanks for stopping by!

Possibly Related Posts:

• Links for 2012-01-17
• Links from 2012-01-07 through 2012-01-11
• Links for 2012-01-05
• Herding Cats: Persona You (January 2012)
• 2011, A Year in Review

{ Comments on this entry are closed }

RSA Conference is right around the corner, and I’m excited to actually be able to see some talks this year. I’m on a panel with Dave Navetta and Serge Jorgensen on Tuesday covering the Dark Side of a Payment Card Breach (LAW-107, Room 131, 2:40pm). I am sure if you are there, we will bump into each other somewhere along the way!

Soft Landing, by moonjazz

One of the topics that I want to explore with other security folks while I am there is a shift to hardware-focused exploits whereby you bypass software and focus on firmware to control machines. It’s not a new concept and has been seen in both theoretical and actual attacks on systems. But as software vulnerabilities are closed, the bad guys have to come up with new ways to get into systems. It doesn’t have to be super creative or advanced to be effective. It could be as simple as tricking a device to “update” its firmware with one you have crafted, thus giving you full control over the device.

This becomes particularly critical when you look at devices that have simple but important functions and are rarely touched by technicians. Things that are out in the field like smart meters, pump controllers, payment terminals, and traffic lights. Some people might choose highly technical and specialized attacks that include drilling tiny holes and snaking wires into the hardware, but if you can figure out how to replace its firmware with yours you can effectively scale the attack remotely.

The outcomes vary greatly from nuisance to data theft to cyber-terrorism. Bricking my DVD player is a nuisance, shutting down a town’s water supply is an entirely different matter. If I can compromise a peripheral hardware device, what does that get me? Am I just messing around with a display device? Or am I in the system at a base layer that invalidates software security controls?

Possibly Related Posts:

• Intelligence-Driven Security
• Corporate Responsibility with Ben Tomhave
• Myth Busting with Ben Tomhave
• We Must Hunt
• Contextual Deep Content Inspection for Security

{ Comments on this entry are closed }

RSA released the ninth installment of the Security for Business Innovation Council report last week, and through a series of blog posts on Speaking on Security, we’re going to analyze the various areas highlighted in the findings. Today I’m going to explore the concept of Intelligence-Driven Security. In our world, intelligence-driven means that information coming in from all of our available sources will influence our actions—some of which will become automated over time.

The report makes a pretty sad claim about the global state of information security, one that has been explored here in the past and largely derivative of the old subject of my blog. Security programs tend to be compliance driven, or even worse, simply optimized for compliance. We focus on keeping the auditors off of our back instead of really thinking about the visibility we need in our environment to discover and combat cyber-threats.

Troop Inspection (Explored), by pasukaru76

First off, how sad is that?

I don’t think I’ve met a security professional who said that he was the happiest of the happy clams because his daily job was defending the network against PCI assessors and other auditors. Those guys don’t go to Shmoo, or BlackHat, or Defcon, or even BSides. They wouldn’t know what an advanced attack looked like until someone gave them theories on how their network was breached. Why just theories? Because compliance-led security will ignore key elements of intelligence that can help you spot and stop an attack.

Now, not all security programs are compliance-led; some have shifted to an incident-led approach. I imagine these folks can’t remember what the place looked like without giant fires blazing through the campus. They choose to wear shorts and crank down the A/C instead of finding the pyromaniac in their midst. Constant reaction to events creates unplanned work which derails our ability to actually make real progress in our IT-driven business.

The challenge with intelligence-led security lies in our ability to reliably and consistently collect the right intelligence from the right sources, manage and correlate that data, learn about what the bad guys are doing and take action all while using a risk-based approach to dictate how you act upon and share this information. It isn’t easy, and as an industry we’re behind. But don’t despair! The SBIC’s ninth report outlines not only many other characteristics and examples of intelligence driven security, but it also gives you an actionable, six-step roadmap to convert your team and function to be intelligence-led. There are some fantastic charts and work product that can be immediately actionable by your teams to help you shift your focus to the things that matter. Go check it out and start your journey!

Possibly Related Posts:

• Corporate Responsibility with Ben Tomhave
• Myth Busting with Ben Tomhave
• We Must Hunt
• Contextual Deep Content Inspection for Security
• Guest Post: Functionality and Benefits of WAF

{ Comments on this entry are closed }

Links for 2012-01-17:

• Implications of Data Breaches on OOW, beyond the PCI equation | Payment Card Security & IT Controls Explained – Like this. Adjacent data can be quite useful.
• Zappos Passwords Hacked: What You Need To Do Right Now – This one is going to hit the ladies pretty hard.
• Phishing Your Employees 101 — Krebs on Security – Interesting toolkit. Keep in mind, phishing your employees will be wildly successful. The point is TRAINING afterward.

Possibly Related Posts:

• Links from 2012-01-07 through 2012-01-11
• Links for 2012-01-05
• Herding Cats: Persona You (January 2012)
• 2011, A Year in Review
• November 2011 Roundup

{ Comments on this entry are closed }

Links from 2012-01-07 through 2012-01-11:

• 6 Tips For Writing Better Emails | PickTheBrain | Motivation and Self Improvement – Love this… Anyone sending corporate email should read this.
• Fraser Speirs – Blog – Misconceptions About iOS Multitasking – Interesting… I had this wrong for over a year now. The only reason I go close apps is if my iPhone is sitting on my desk, but running hot for some reason, or I see the Location icon going while I am not in any app.
• California Expands Its Data Breach Notification Law « Secure Thinking – Cali's law get's an update!
• Symantec source code leak is nothing special – Maybe this isn't such a big deal after all?
• Financial Malware now targeting Facebook accounts –

Possibly Related Posts:

• Links for 2012-01-05
• Herding Cats: Persona You (January 2012)
• 2011, A Year in Review
• November 2011 Roundup
• Herding Cats: Build Security In (October 2011)

{ Comments on this entry are closed }

Security people are often viewed as gatherers. We gather security event data, collect logs for review, build documentation based on information about our environment, and group informational assets in like-valued groups to focus our defenses. I think we’ve got the gathering part down. It’s similar to our propensity to react. We may not be great at reacting (or more likely, we’re great at reacting at only a few things), but we get plenty of exposure to it.

Warning!!!...Tiger in training...:O)), by Keven Law

You cannot be a successful security professional by only being a gatherer, and your team won’t be successful if you only hire and employ gatherers. Just like most societal norms that evolved over thousands of years, you need hunters to fill a need that your gatherers simply cannot.

Information security hunters aren’t reacting to incidents, amassing event data, or collecting things, they are taking all that has been gathered, augmenting it with other intelligence sources, and actively looking for threats against informational assets. These guys use complex analytics to find the bad guys when they hide in plain sight.

In this game of cat and mouse you can either sit back and wait—hoping you catch something early enough in the kill chain to save your job and company—or you can take your future into your hands and discover compromises before exfiltration.  Collecting the massive amounts of data we need to do our job allows us to not only be gatherers of information events, but hunters with added analytics.

Think back to the kill chain. We must assume that the first two or three steps will happen (recon, weaponization, and delivery), and are probably largely out of our control. Hunters back up their efforts to focus on exploitation and command and control, looking for and fixing these such that exfiltration doesn’t happen. Passive gathering is great, but without active analytics you are more likely to get the phone call informing you of your breach instead of you finding and stopping it on your own.

Possibly Related Posts:

• Contextual Deep Content Inspection for Security
• 2011, A Year in Review
• Guest Post: Functionality and Benefits of WAF
• Guest Post: Virtualization Makes Everything Easier – Including Burning Bridges
• Guest Post: Getting Management to Buy into ITSM

{ Comments on this entry are closed }

It’s 2012 (didn’t I already say that on Wednesday?) and the reality of 2011′s shifting security landscape should have set in by now. As much as many of you may want to go back to the days of worrying about Anti-Virus definition files, basic patching, and a single border firewall as the makeup of your entire security posture, its time to take a serious look at how you will plan your defenses for 2012.

One defensive technologies that is getting another look is Data-Loss Prevention (DLP)¹. By itself, an implementation of DLP can go a long way to prevent serious issues in simple to moderately complex IT environments—but the bad guys are better than that. They know ways to hide the ex-filtration of information in ways that will look like legitimate traffic to your porous border controls.

Civilian Technician Inspects Circuit Board at Army Aviation Centre Middle Wallop, by UK Ministry of Defence

Corporate IT users today have an unjustified sense of entitlement. They feel they are entitled to use corporate assets for whatever they wish, regardless if it contributes to their job or not. How many corporate citizens with company-issued phones have called or texted loved ones? How about the week after thanksgiving—shop much? Every corporate user is guilty of doing this because we’ve let them do it for years. And why not? The environment ten years ago was nothing like today! Browsing most websites wasn’t a big deal—except for productivity levels of course—and the worst IT offenders were typically handled by HR after we investigated their usage.

In the last several years, we’ve seen more companies deploy filtering products to help protect their IT assets against known threats. DLP is one of those, but as with many walls, it needs help to be effective. Many companies block popular personal email and social media sites because they fear accidental (or intentional) information disclosure. I’m sure that every new site added to a “block list” creates a flurry of hate directed back toward IT and IS.

The use of corporate IT systems is a privilege, not a right.

Let’s say that you deployed DLP on your network to watch for certain types of information entering and leaving your infrastructure. What happens when a legitimate user goes to an SSL-enabled site to purchase something? Do you proxy your SSL and inspect it? Do you match the URL against an “OK to use” list? What about a site that presents an SSL certificate, but isn’t known to be a legitimate website and the certificate is self-signed? And if you get an agent to the user’s corporate desktop, is it actually functioning as an enforcement point or just used for policy violation tracking?

DLP by itself is useful, but it can be so much more effective when paired with a few other controls. Before you can start building and enabling other controls, however, you must know what NORMAL looks like in your infrastructure. Server-to-server traffic is easier to find because it typically has firewall rules associated with it whereas desktop-to-server will just look like SSL or HTTP traffic over ports 443 and 80. Do you proxy your SSL traffic so you can inspect it? If not, consider it. That might be a good way to see if data is being moved while masquerading as legitimate traffic.

filter flower, by tonx

What about other outbound access, do you filter and/or inspect it? Can someone FTP files from your infrastructure to a site somewhere on the net? How about SSH, do you get detailed enough to know the difference between a legitimate HTTP session and someone using SSH over port 80? Do you tie that information back to other anomalies in your environment to provide context to your decision makers? Do you 0nly allow access to sites relevant for business or can someone research products, buy personal airline tickets, and set their fantasy football lineup from their corporate device?

DLP as a technology has been beat up over the years as a luxury product that doesn’t deliver upon expectations. Sure, every DLP solution out there has positives and negatives, but that’s because it’s not a silver bullet technology. It is one of the many tools you need in order to really do this stuff the right way. Deploying it well is preventative work—a type of work we should prioritize as it leads to less unplanned work down the road².

Possibly Related Posts:

• 2011, A Year in Review
• Guest Post: Functionality and Benefits of WAF
• Guest Post: Virtualization Makes Everything Easier – Including Burning Bridges
• Guest Post: Getting Management to Buy into ITSM
• DNS Query Logging—Looking for Fires

1. John Kindervag from Forrester just released some research on Rethinking DLP that is pretty interesting as well, especially his DLP Maturity Grid.
2. I’m implementing a Personal Kanban system right now, and reminiscing of my days of The Goal.

{ Comments on this entry are closed }