This is not your math teacher’s Cryptography presentation !
The core of this presentation is about discussing the various points in an application where a cryptographic control, primarily encryption, can be applied. Kevin and I walk through an expanded version of the 3-tier application architecture. We go beyond discussing the encryption controls available to the web server, application server, and database backends, to expand our scope to include the PC, storage, backup, and file systems. At each point we will discuss the kinds of controls that can be applied, the risks that those controls help manage, and risks which are ofttimes overlooked and remain.

This presentation is more focused than the RSA Version from March.
In our presentation in March we tried to also include an introduction to Key Management. This proved to be too much to bite off, so we have pruned that material from the presentation that is planned for the Webcast. Kevin and I may be submitting a presentation proposal for RSA 2011, 100% dedicated to Key Management. (Feedback on that idea would be of great value… Feel free to comment below.)

In fact, I am always interested in feedback from readers of AoIS. So, if you tune in the the WebCase, please drop me a note. I personally find web and teleconference presentations much more difficult than in the in-person kind…

When and Where ?
The Webcast in this Wed (June 23, 2010) at 1:00 PM EST, 10:00 AM PST, 5:00 PM GMT.
Here is a link to the registration: Webcast: Cryptography: Issues and Insight from Practical Implementations

((AoIS Webcast)) Cryptography: Issues and Insight from Practical Implementations

This year’s program is titled “Foundations for Success: Enterprise Identity Management Architecture”, and the content follows the successful pattern of past years. The morning will focus on establishing a base of understanding, and the afternoon will be spent covering modules selected by the attendees (the description from the RSA website is attached below).

This year I am especially excited as I am leading a major Information Security infrastructure initiative that involves the complete build out of the Information Security stack for a new company (actually a $2.4B spin-off). I have just completed full requirements, RFP, and the product selection cycle for an Identity Management solution. At the time of the class, I will be at the mid-point of the provisioning system’s deployment, and will have Password Vaulting in production. This project has been a source of great challenges and new insights, all of which I hope to bring with me on March 1st (well, the insights anyway).

Identity Management is at the core of a successful Information Security program. In many ways, it is the primary technical control for policy enforcement and oversight. In addition to the important role Identity Management plays in risk management and oversight, many of your business partners think of Identity Management “as” Information Security. The question of “how do I get access to X” is a question near and dear to the heart of your business partners. Many of the security controls we all work with day to day are largely invisible to business partners, but password problems, access request delays, and audit findings are very visible to them.

Information about the tutorial is available form the RSA 1-Day Tutorials page, but here is a copy of the tutorial description:

Tutorial ID : TUT-M21

Foundations for Success: Enterprise Identity Management Architecture

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service.

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:

• Principles of Identity and Access Management and implementation strategies

• Infrastructure architecture — critical underlying processes to run a successful enterprise

• Web-based authentication & Web Access Management

• Selling Identity strategy in the C-suite

• Directory Services – Enterprise, meta-directories and virtual directories

• Provisioning – managing the processes of Identity and Access Management

• Identity mapping and roll-up

• Detailed Single Sign-on strategies: Getting off Identity islands

• Detailed Federated Identity discussion and case studies

• Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects

• Multi-factor authentication: biometrics, tokens & more

• Functional IDs – real world considerations of this often forgotten access control

• User Access Audit: Proving only authorized users have access

• Auditing the identity systems

Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.

Cheers,
Erik

Add Some Architecture to RSA 2010

• Operational Integrity (things happen when they are supposed to happen – backups, tasks, etc.)
• Reproducibility of events (meaningful logs and records)
• Validation of SSL certificate expiration (or other tokens, etc.)
• Correct application of time restricted controls
• Etc.

So, the big question is, what is “adequate clock synchronization”, and how do we achieve it ?

But First, What Time Is It ?

Time itself is of course a natural phenomenon. Just like distance, volume, and weight, the measurements for time are artificial and man-made.  The dominant time standard (especially from a computer and therefore Information Security perspective) is Coordinated Universal Time (UTC). This could probably have been called Universal Compromise Time, as it turns out that getting the whole world to drop their cultural biases, deployed technology, etc. and move to a single time system has been a long and complicated road (and it isn’t over yet).

One major component of UTC is an agreement on what time it in fact is, and how that is determined. Also, there are  questions surrounding how to adjust leap seconds, leap years,  and other “measurement vs reality” anomalies.  Time (and its measurement) is quite complex in itself, but for the purposes of Information Security (system operation, log correlation, certificate expiration, etc.), the good news is that UTC provides a solid time standard.

Now, all we need to do is synchronize our clocks to UTC !
(and adjust for our local time zone…)

Network Time Protocol (NTP)

Network Time Protocol (NTP) is a well established, but often misconfigured and misunderstood, internet protocol. NTP utilizes Marzullo’s Algorithm to synchronize clocks in spite of the fact that:

• The travel time for information passed between systems via a network is constantly changing
• Remote clocks themselves may contain some error (noise) vs UTC
• Remote clocks may themselves be using NTP to determine the time

In spite of this, a properly configured NTP client can synchronize its clock to within 10 milliseconds (1/100 s) of UTC over the public internet. Servers on the same LAN can synchronize much more closely . For Information Security purposes, clock synchronization among systems and to UTC, within 1/5 or 1/10 of a second, should be sufficient.

Classic Misconfiguration Mistakes (and how to avoid them)

The misconfiguration mistakes that folks make tend to be the result of:

• Overestimating the importance of Stratum 1 servers
• Over-thinking the NTP configuration

NTP Servers are divided into Stratums based on what time source. A Stratum 1 server is directly connected to a device that provides a time reference. Some examples of reference time sources include:

• Atomic Clocks
• GPS
• CDMA
• WWVB, DCF77, MSF60

NTP servers which synchronize with a Stratum 1 time source are Stratum 2 servers, with the Stratum number increasing by one for each level.

Big Mistake – Using a Well Known NTP Reference

The most frequent mistake people make when configuring NTP on a server is assuming that they need (or will get the best time synchronization) by using one of the well known atomic clock sources. This tends (thought not always) to be a bad idea because it overloads a small number of servers. Also, a server with a simpler network access path will generally provide better synchronization than a more remote one.

When configuring the NTP protocol, it is a good idea to specify several servers. The general rule of thumb is 2-4 NTP servers. If everyone specifies the same servers, then those servers become overloaded and their response times become erratic (which doesn’t help things). In some cases, an unintended denial of service attack is caused.

Both Trinity College of Dublin, Ireland and the University of Wisconsin at Madison experienced unintended denial of service attacks caused by misconfigured product deployments. In the case of the University of Wisconsin at Madison, NETGEAR shipped over 700,000 routers which were set-up to all pull time references from the university’s servers. NETGEAR is not the only router or product manufacturer to have made such an error.

Enter the NTP Pool…

“The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers.” quoted from pool.ntp.org

Basically, the NTP pool is a set of over 1500 time servers, all of which are volunteering to participate in a large load-balanced virtual time service. The quality and availability of the time service provided by each of the NTP servers in the pool is monitored, and servers are removed if they fail to meet certain guidelines.

Unless a system itself is going to be an NTP server, then use of the NTP Pool is your best bet 100% of the time. It is a good idea to use the sub-pool that is associated with your region on the globe. Here is ta sample configuration: (/etc/ntp.conf file)

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

It may not be necessary for your to run the NTP service itself. Running the ntpdate command at boot and then in a cron job once or twice a day may be sufficient. The command would look like:

ntpdate 0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org

If you do need to install ntp on Ubuntu, the commands are:

sudo apt-get install ntp

and then edit the /etc/ntp.conf file and add the server lines from above. On my OSX workstation, the entire /etc/ntp.conf file is:

driftfile /var/ntp/ntp.drift

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

Overthinking the Configuration

The “server” parameter in the configuration file has a number of additional directives that can be specified. These are almost never needed, but can generate a lot of extra traffic on the NTP server. Avoid over thinking the server configurations and avoid using prefer, iburst, or burst.

When Should I Run NTP Service Rather Than Use The NTPDate Command ?

There is almost no downside to running the NTP service. It is very low overhead and generates almost no network traffic. That being said, the only downside to running the ntpdate command a few times a day, is that the clock can drift more. If I were performing an audit, and the shop-practice was to use ntpdate on everything except infrastructure service machines (directory servers, syslog concentrators, etc.), I would accept that practice. I would be more concerned about how time synchronization was being managed on HSMs, directory services, NIDS, firewalls, etc.

When Should I Run My Own NTP Server ?

There are two cases when you should consider running your own server:

• You have a large number of machines that need time services
• You wish to participate in NTP Pool

A Stratum 1 time server appliance or a GPS/CDMA card can be purchased for costs similar to a rack mounted server (of course you will need two). If that is just out of the (budgetary) question, then I would look for the time servers to use authenticated time sources. NIST and several other Stratum 1 NTP providers have servers which are only available to folks who have requested access, and are authenticating to the server. If time accuracy is critical to risk management, and GPS/CDMA is not available, then I would push for authenticated NTP.

Option 3 is acceptable in the vast majority of situations, including cases where logs and events are only correlated locally, or where no compelling need exists.

NTP and Network Security

NTP uses UDP on port 123. This traffic should be restricted in DMZ or other secure network zones to only route to authorized NTP servers. Tools like hping can be used to turn any open port into a file transfer gateway or tunnel.

One option is to set-up a transparent proxy on your firewalls and to direct all 123/UDP traffic to your NTP server or to one you trust. (The risk of the open port involves providing a data path out of the organization, not rogue clocks…)

Resources and More Information

• Wikipedia on NTP
• A Brief History of NTP Time: Confessions of an Internet Timekeeper
• Marzullo’s Algorithm

Cheers,

Erik

Auditing Time…

Erik: Are there any ‘free’ (but effective) marketing activities that organizations can pursue?

Heather:  All Marketing activities have some cost in terms of development or execution time, however, the following activities can be considered “free” or low cost:

Webinars: If the company has an internal content expert available to develop and deliver educational presentations (industry or technology focused, not vendor specific content), and if the company has an enterprise-level web conferencing subscription, the marketing team can host webinars for relatively free.  Partnering with channel partners for joint promotions can also help both companies educate and propel their prospects through the sales cycle.

By-lined or contributed articles: Developing industry-relevant articles for trade journals can be another relatively low cost activity to gain credibility and exposure.  Similar to webinars, this requires an internal content expert to develop the article and either internal PR or an agency to pitch stories to the media.

Erik: What have been some of the biggest misconceptions about marketing that you have experienced in your work with start-ups and growth companies?

Heather:  Two misconceptions spring to mind: the value of producing quality marketing materials, and the time and resources required to roll-out a program that has real impact.

I’ve seen companies who don’t hesitate to spend thousands of dollars to attend a tradeshow or who don’t bat an eye at an egregious entertainment bill submitted by sales, yet they balk or refuse to invest in a graphic designer to create a polished looking datasheet or direct mail piece, or refuse to spend time and money on developing the proper marketing materials for moving prospects and customers through the sales cycle.

The second misconception surrounds the required level of strategy, planning and resources required for successful marketing programs. Some executives underestimate the time required to plan a marketing program or what is required for execution in terms of personnel time, media lead time, engineering contribution to whitepapers, etc.

To develop truly integrated and impactful marketing programs, the marketing team needs to work through and understand the challenges faced by the sales team, the needs of the target market and align these key inputs to develop the appropriate campaigns to support the marketing goals.  Prior to executing these campaigns, companies typically need to develop new or update existing marketing materials to support these campaigns. The entire process can take a month or more.

Erik: So, how can organizations promote marketing and messaging into the culture so that everyone is involved?

Heather:  Establishing clear and effective marketing messaging and materials is the first step.  This includes both internal and external websites, datasheets and presentation content. For example, develop a concise positioning and messaging document for sales, channel partners and other company staff. 

I would also encourage the Marketing team to take advantage of all-hands meetings and either monthly or quarterly internal email updates to educate personnel on the latest marketing activities and messaging development. 

Marketing or corporate executives should also address any marketing challenges that surface and instruct employees on how to respond publically.  For example, if a known competitor is using under-handed sales tactics such as falsifying information about your company or product, executives should clearly indicate how sales and marketing is addressing the issue and reinforce that the corporate communication policy does not condone negative messaging or competitive bashing in retaliation.  Similarly, if a company is dealing with a sensitive press issue, employees should be educated on the appropriate public response. Even if they are not considered company spokespersons, they need to be educated on what or what not to say.

Erik: What do organizations need to do, to determine if their marketing is effective?

Heather:  The two exercises I would recommend are: mapping the marketing programs to the marketing goals for post-program evaluation and soliciting frequent feedback from analysts, customers and channel partners.

Prior to each marketing campaign, map the marketing goals to the campaign or activity and measure the actual results post-program.  This will typically require a pre-defined lead follow-up plan and collaboration between sales and marketing.  Metrics to include may be Cost per Lead, Response Rates, Website Hits, Lead Quality, Opportunities Developed, Opportunities Closed, etc.  Of course these efforts will only be as good as the level of accountability required of both marketing and sales to input and maintain prospect and customer data throughout the sales cycle.

Measuring the effectiveness of messaging and marketing materials can be achieved through feedback from the sales team, prospects/customers, channel partners, and analyst feedback.  It is very important to reach out to all of these audiences to gain a fresh perspective on your messaging and content from time to time.  If possible, try to incorporate feedback from each of these groups, since each group brings a unique perspective.

Erik: Heather, you have worked with a number of start-ups. How early in the genesis of a new organization should a marketing plan be developed? 

Heather:   Even if a start-up doesn’t have a dedicated marketing budget, a marketing strategy and plan should be developed before any customer facing activities are initiated.  If hiring a marketing professional (either employee or consultant) is not an option, then this effort can be lead by one of the executives.  The key is to develop a baseline strategy covering product pricing, positioning, messaging and the go-to-market strategy.  Even a rudimentary go-to-market strategy will serve as a foundation for guiding sales and developing marketing materials.  As the company goes to market and gains additional intelligence on customers and competitors and as product enhancements are rolled out, this strategy should be reassessed and revised.

In addition to the marketing strategy, an initial marketing plan should be developed.  While a marketing budget may not be established, you still need to devise a plan for the development of marketing materials such as the website, collateral (datasheets, solution overviews, technical manuals), presentations, whitepapers, demos, product packaging.  Factoring in public relations efforts, such as the development, the out-reach and the response to media and analyst relations should also be considered, even if the company is not planning a formal PR program.

Thought should also be given to how prospect and customer data will be managed.  Even if the company has yet to deploy a CRM system, it is important to plan an efficient process on how this data is maintained, how leads and customers are managed and how this data can be ported to a CRM solution in the future. If the strategy for  managing customer data is not instituted with the sales team from the get-go, management will never really gain solid data to support the business metrics and marketing will loose invaluable data for establishing and managing marketing programs.

Erik:  What are the first steps for companies, especially resource-strapped start-ups, to take in starting their marketing efforts?

Heather:  Refer to my answers regarding the top marketing activities and “nearly free” marketing activities.  Development of even a baseline marketing strategy, marketing plan and marketing materials assessment will go a long way in laying the foundation to drive effective yet budget conscious marketing programs. 

I will also offer a free one-hour “Ask the Expert-Marketing Consultation” to the readers of Art of Information Security blog.   During this session companies can jump start their marketing by gaining free marketing advice specific to their website or marketing plan and bounce ideas off a marketing expert who specializes in the IT Security industry.  Schedule your free session through the contact page at www.candescomarketing.com

Many Thanks to Heather !

Thanks for taking the time for the interview, and for the offer to Art of Information Security’s readers. I hope that it will help provide a more rounded perspective to folks we are struggeling with organizing or understanidng their marketing needs. 

Heather can be contacted through Candesco Marketing.

Cheers, Erik

AoIS Interviews Heather Deem, Part 2

Erik: I noticed from your web page that you recently delivered a presentation called “7 Habits of Highly Effective Career Managers”. Can you give us a flavor for what those habits are?

Lee:

1. Talent or Great Skills
2. Excellent Communication
3. An effective network
   • Your network is only good if you can call on it and get a result
   • What are some effective giving strategies?
4. A Professional Development Plan
5. They Invest in Themselves
6. Develop Their Own Personal Brand
7. Possess Necessary Intangibles (perspective, patience, passion)

Erik: Ok, so how can someone reality check themselves about “having great skills”, or about the kinds of positions they “have great skills” for?

Lee: Talent is the one thing that is critical to being great at what you do, whatever that may be. Without talent, it is tough to achieve greatness. However, one talent could be something as simple as being the “hardest worker” or “never quitting until you figure it out”. The truth is that we are all talented at something – it is important to recognize what that talent is, cultivate it, develop it, and leverage it.

The questions I normally ask people is:

• Tell me one thing that you do better than most people
• Tell me the accomplishments that you are most proud of
• If I asked your peers about your skills, what would they say was your best one

When you answer those questions, you usually come close to discovering your best skills or true talent.

Erik: Communication is one of those elusive soft skills. Many people think they are great communicators, but are so-so. Do you have any concrete advice?

Lee: Most people are lousy communicators because they do not believe that it is a skill. There are classes and courses on how to increase your vocabulary, to communicate with executives, to speak to subordinates, etc.

Ask people around you in your personal life, or anyone who can provide you with an honest answer (without repercussions) about your communication skills – that may be a good guide to see where you really stand.

Erik: “Effective Network” – I suspect that you mean something very specific…

Lee: I define an effective network as one that can be called upon on short notice and one that will provide you with a meaningful response to your query. Your network can be made up of co-workers, industry peers, specialists, mentors, and educators. An effective network also has to be willing to offer “candid” communication – be able to freely tell you when you are both heading down the correct path and the wrong one.

Erik: So, having a Linked In account isn’t enough?

Lee: No. Like anything, you get out of it what you put into it. Just clicking on a “Linked Invitation”  does not equal a trusted, meaningful relationship. It is quite the opposite.

Erik: I am very bad with names and faces, however I try to use conferences and large meetings as networking opportunities. One habit I have developed is to write clues to myself on the back of every business card I accept. I write things like, “met Jim at RSA 2008 on Expo floor”, ”Great network threat guy”, etc. Do you have any specific networking habits that you use?

Lee: What works for me is that I like to remember something that is unique about the person that is not necessarily job related: such as an outside interest, a college or university, or something personal. To me,  this allows a connection to be developed that is outside of how you would traditionally think of them, and then you can effectively remember other things about them. However, just because it works for me, does not mean it will work for all.

Erik: What does a Professional Development Plan look like, and whom should I share it with?

Lee:  My thought is that a Professional Development Plan has two parts. The first part represents your current career and the skills that you currently possess. The second part is your long term career goal, and the skills and experiences necessary to qualify for that particular role.

Really what you are doing is performing a “career gap assessment”.

Other components of a career plan should include research on how to attain these necessary skills, a timetable of sorts to actually acquire the skills, and an understanding of the sacrifices necessary to achieve them.

Your career plan should be shared with people who respect and care about you, both personally and professionally. Your professional network can consist of your mentors, your supervisor, your peers, and trusted outsiders. Those can include career counselors, career coaches, executive recruiters, etc.

On a personal level, you need to share this with the people that will share the benefits and suffer from the sacrifices. This is usually your immediate family. Sacrifices can inlcude travel, longer work hours, relocation, and the finances needed for career investments.

Erik: Is personal brand synonomous with reputation?

Lee: In many cases it is, however I think that a personal brand is much more difficult to come by. I mean, everyone has a reputation: some are good and some are bad. However, you traditionally have to work very hard to establish a well respected professional brand.

In today’s culture, professional branding means that you not only have to establish a respected reputation, but you also have to be known for something that makes you unique and your opinions and knowledge “sought after” and relevant.

Erik: Developing a brand is a long term investment. How do you do this so it is not viewed as a “job campaign”?

Lee: You are correct; developing a professional brand will not happen overnight. I believe that many people who have respected professional brands have an inner drive and passion for excellence. It is this passion that usually drives them on a daily basis, and they know of no other way to conduct themselves. My feeling is that if this behavior is viewed as routine and standard, it appears natural, and is only viewed as a job campaign by people who do not share the same level of professional drive or who feel threatened.

Erik: Necessary Intangibles?

Lee: Passion to me is number one. All successful professionals, regardless of field, have a passion for their careers and are driven by an inner quest for excellence.

Patience is another one. Too many people get caught up in the concept of how quickly they can advance, without realizing that they will miss out on the opportunity to learn more and develop their skills.

I think that someone’s work ethic is also a big differentiator. One of my favorite expressions is that the worst thing to be in life is lazy. Someone who is willing to put in the time, effort, and energy to achieve usually finds themselves in positions where they are given extra opportunities to demonstrate their skills.

Erik: Lee, what advice do you have for folks who are currently out of work and looking?

Lee: Two pieces of advice: The first is to “keep your head up” and do not get discouraged. The second is to take this time to reflect as to why you are currently in this situation, and begin to plan accordingly so that it does not happen to you again.

Erik: And for those who are worried about being displaced?

Lee: My best advice would be to be visible when it is time to be visible. This is the time where you have to outshine the people around you, take on additional responsibility, and demonstrate that you are not immune to the current economic conditions.

This is not the time to ask for additional compensation, additional training, or take extra vacation. This is the time to show that you are a team player, hard worker, and are loyal to your current employer.

If you feel that your displacement is imminent, then you should get your resume prepared and begin reaching out to your network to see if they know of good opportunities for someone with your skill set.

Erik: Are there any Career Management resources you could point folks to?

Lee: I will be frank in saying that unfortunately there are not many Career Management resources specifically targeted toward Information Security professionals. Mike Murray and I are hoping to change that at www.infosecleaders.com. We are planning to produce regular career-driven content specifically geared toward the Information Security community. The initial podcast series ”Career Incident Response” will be posted soon.

In addition, we should also be publishing and releasing the results of our Information Security Career Management series around the time of Black Hat and Def Con this summer. The survey is still open and can be found at www.infosecleaders.com/survey.

Erik: Lee, thank you for taking the time to participate in this interview. I know based on the response to Part 1 that this information is getting a lot of attention and that the Art of Information Security community has really appreciated it.

Lee: Our profession is growing and increasing in popularity. In the future, there is going to be increased competition for the best positions. It will not be enough to only be good; you will have to be better than your competition. It will be imperative to plan accordingly and make regular investments in your professional development to differentiate from your peers.

Many Thanks to Lee Kushner

If you have found this interview helpful, please consider participation in Lee’s professional development survey at www.infosecleaders.com/survey. He has a tremendous passion for helping Information Security professionals develop their careers, and for aiding employers in understanding how to attract, develop, and retain top talent. The survey is Lee’s way of reality checking the advice and council that he gives, and will be shared through his upcoming podcasts and speaking engagements.

Cheers, Erik

AoIS Interviews Lee Kushner, Part 2

For more than ten years, Heather has supported marketing efforts, from framing the strategy to executing on the fine details, for a wide range of technology companies including Websense, Finjan, MarkMonitor, F-Secure, and others. I met her at last year’s RSA conference at one of the networking events, and really appreciate her taking the time for the interview. Let’s jump right in…

Erik: How much of a corporation’s resources and energy (capital, time, etc.) should be reserved for marketing?

Heather:  Many companies underestimate the hours and timelines required for campaigns and programs.  Timelines of course vary depending on a company’s goals, budget, the team’s availability, and turn-around times, but in general, it is advisable to allow the following timelines:

Collateral Development: 3-4 weeks to develop a new datasheet, 1-2 weeks for datasheet revision, 4 weeks to develop a new presentation, and 2-3 months to gain customer approval and develop a case study.

Tradeshows: Reserve booth space about a year in advance in order to acquire the best booth location.  Begin planning 4-6 months prior to the event date.  Start development of booth messaging, collateral, and demonstrations at least 3-4 months prior to the show.  Direct mail campaigns, exhibitor service orders, logo’d giveaways, and advanced shipments should be completed about one month prior to the event.

Online Demand Generation Programs: The first step in planning your demand generation program is to define the target market and the offer.  Is the call to action going to be a whitepaper, webinar, podcast or other?  Creation of a new whitepaper can take 2-4 months; 2 months if outsourcing, 4 or more if using internal sources to develop.  For a webinar, you need lead time to engage and schedule your guest speaker, usually an analyst or customer.  Once the target market has been determined and the development of the offer has started, you need to identify the right media company for promotions. Most media sites typically require insertion orders to be placed 2-3 months out.  While some advertising sites have availability 1-3 weeks out, sites with reputable performance typically sell out key promotional categories or banner spots several months out.

Direct Mail Campaigns: Similar to the online programs above, you need to identify your target audience and offer, but will also need to determine the direct mail list for your campaign.  You may have a solid customer and prospect database for your targeted mailing or you may opt to rent or purchase a 3rd party mailing list.  In both cases, you should take the time to segment the list to the specific contact titles, verticals, or geographic areas which are most relevant to your targeted audience.  It is also worthwhile, especially if utilizing a 3rd party list, to confirm the contact information and the mailing address of each recipient.  Depending on the size and quality of your list, the process of scrubbing the list may take days or several weeks. This step is less necessary if you are mailing an inexpensive post-card, but quite necessary if you have developed a higher quality mail piece or offer.

Depending on your offer and the complexity of your direct mail piece, it may take 2 weeks to 1 month to develop content, design the graphical layout, and print the direct mail piece. You will need to allocate another 2-3 weeks for mailing house services and delivery.

The above examples illustrate very rough timelines, but hopefully provide a baseline for planning typical marketing projects. While I’ve worked on and successfully delivered similar projects within shorter timeframes, it is advisable to integrate ample timelines into your project planning to avoid rush fees, team pressure, and depletion of resources which may be needed for other team projects/goals.

Erik: What are the top marketing activities that every organization should make happen?

Heather:  Development of a Marketing Strategy & Plan, and Development of Marketing Materials & Tools.

While this advice sounds almost too simplistic to relay, I cannot tell you how many companies tend to overlook or half-bake their marketing strategy or plan, yet have high expectations of marketing activities which have been based on undefined goals and limited budgets.

Strategy: Identify your target market and develop your positioning, messaging, go-to-market plan, and marketing goals as these elements will serve as a tool for making informed decisions and will be the foundation for your marketing plan and materials.  Ensure that key decision-makers from executives to sales are aligned on these areas.  For example, based on the revenue goals, how many raw leads does marketing need to produce each quarter to support sales, and conversely, does sales have enough resources to appropriately handle follow-up for this volume of leads?

Plan: Based off the marketing strategy and goals, develop the tactical plan to meet the marketing objectives. This plan should include an estimated timeline and campaign results.  Identify if the allocated budget and resources will sufficiently meet the marketing goals.  If not, additional investments in marketing may be required, or the marketing goals may need to be readjusted.

Some companies may feel overwhelmed, not know where to start, or feel that their limited marketing funds don’t justify a full-blown marketing strategy or plan; however, in start-ups, where ever dollar and hour counts, planning is even more crucial as there is less margin for error or waste. Advance planning will strengthen the management of marketing by helping you stay goal-focused, adequately allocate resources, avoid spikes and dips in lead generation, and reduce gaps in your marketing materials.

Marketing Materials: This is one area that deserves more scrutiny. Organizations tend to focus more on lead generation and creating awareness, overlooking or undervaluing the necessity of creating and maintaining a proper marketing library of collateral and tools.  Frequent development and updating of marketing materials is vital to supporting the sales team and channel partners, and for propelling your prospects and customers through the sales cycle.

Almost every company has a datasheet, sales presentation ,and whitepaper, but many overlook other essential marketing materials like positioning briefs for the sales and channel team, ROI calculators, customer case studies, flash demos, and frequent development of new industry whitepapers or webcasts. These tools are like the oil that keeps the sales and marketing engines running smoothly and helps transport prospects through the sales cycle.

Look for Part 2

The second part of this interview with Heather will be posted in a few days. Stay tuned…

Cheers, Erik

AoIS Interviews Heather Deem, Part 1

“A Cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”

Kerckhoffs’ Principle does not require that we publish or disclose how things work. It does require that the security of the system must not be negatively impacted by such a disclosure. A sub-theme of this principle, is that if the system is not negativly impacted by disclosure, it may be enhanced. 

In the history of cryptographic systems, peer reviewed systems/algorithms/techniques have outperformed closed/proprietary ones. This has its roots in basic human nature and is demonstrated every day in basic quality controls used for software in general.

A coworker once pointed out, “I am very confident that I can build a system that I cannot break. I am not so confident that I can build a system that no one else can break.” Getting many “someone else” resources to look at things is the core of Kerckhoffs’ Principle in practice, even if not in original intent. An example of using Kerckhoffs’ Principle is the current effort by NIST to sponsor the development and adoption of the next generation of hash algorithms through their hash contest (wiki, NIST). 

If You Need to Keep the “How” Secret…

If you need to keep the “how” secret, then odds are it isn’t a very good approach to the problem (and you may know that). I am often shocked when probing people on password protection, at how often their not wanting to disclose this information (because it is a “secret” itself) correlates to a very poor practice. 

BTW: the most frequent bad practice that I encounter over and over again is that “Base64 Encoding” is being used to “protect” the password. If I built a system that did that, I too would want to keep it a secret…

(In this case, I think the reluctance to disclose the information aligns more with “cover up” than “system design secret”.)

It often seems odd to people that there are no secrets about how modern cryptographic algorithms are designed, operate, and are selected for broad usage.  Of course, I think many of these people don’t understand that this is no different from most security controls. Anyone can purchase a high-security lock, and then reverse engineer the lock. Take it apart, put it back together again, take it apart and examine (or replicate) each part, and so on. People’s trust in locks often greatly exceeds the actual “security” provided by the lock, but that has nothing to do with the fact that people have examined them. Most frequently it has more to do with people just purchasing cheap locks. 

Kerckhoffs’ Second Benefit: You Can Stand on The Shoulders of Giants

Back to passwords… Let’s say you are writing an application, and you need to store user account passwords. You are in luck – you can examine a broad body of work documenting the failures and redesigns of a number of password systems – and you can emulate what is working today without repeating old mistakes. The same can be said for a great number of security functions. 

It often amazes me how often people start with the blank page and reinvent the wheel. Personally, I don’t ever want to re-invent the wheel. If I do that, I will be lucky if I develop the wheel for a Roman ox cart, or bicycle. I would rather take what I can find out about the wheel and take it to the next level (maybe Formula 1 Ferrari Team Wheels…), or be done with that part of the system design quickly and focus on something more challenging. 

Kerckhoffs’ Third Benefit: Standards

Any time you are developing a solution to a problem and you can leverage a standards approach you are gaining numerous benefits. First, you are leveraging the “Standing on the Shoulders of Giants” concept by inheriting a body of work that has been tested, reviewed, etc. Second, it is easier to communicate it to others.

In the cryptographic world, there are a number of very helpful standards bodies. These include:

• NIST Computer Security Division 
• NSA Suite B
• OASIS
• ANSI and ISO

More soon…

Cheers, Erik

Crypto: Kerckhoffs’ Principle

Talk to People – Join in the Conversation

In the last year, I can think if 10 times where I was able to call (or I was called by) a colleague who I met at a past RSA. In the professional development series with Lee Kushner (link), ideas about developing, having, and being able to utilize your professional network are going to be a reoccurring theme.  If you are attending RSA (or any large event) don’t pass on the opportunity to meet and connect with new people. 

It can be Easy…

Don’t be mislead into thinking you need to “work the room” to meet people at RSA. 90% of the people who will be in Mascone Center are there because Information Security is important them, either as a practitioner or as a provider. (The other 10% are there to make sure everything runs smoothly.) 

So, you will be surrounded by people, who at least share that one item in common with you. Reaching out can be very easy. The people who you are in-line with, or waiting for a session to start with, etc. almost all do something connected to what you do. Just saying hello is all it takes. 

Leverage Events

There are a number of events that can make networking even more effective. The conference itself has roundtables session that are 100% focused on establishing peer to peer communication on targeted topics. Any vendor sponsored dinner or event also creates easy opportunities.

New to Networking? 

The RSA conference understands the value of the networking opportunity it is creating. As a result, there is a “Networking 101″ session on Monday evening at 5:15, immediately following the First-Time Delegate Orientation. Each year the conference brings in someone who has professional training experiencing in helping people network – helping people connect. This is always a great session to attend if you have the time, and are around the conference center on Monday evening.

Cheers, Erik

Optimize Your RSA, Part 3 – Network, Network, Network…

Lee Kushner is the President of LJ Kushner and Associates, LLC, an executive search firm dedicated exclusively to the Information Security industry and its professionals.  For the past thirteen years, Lee has successfully represented Fortune 2000 companies, information security software companies, information security services organizations, and large technology firms in enabling them to locate, attract, hire, and retain top level information security talent.  Throughout his career, he has provided career management and career coaching to information security professionals at various stages of their professional development.  He is a regular speaker and industry contributor on topics that include career planning, interview preparation, and employee recruitment and retention.

Erik: With 13 years of recruiting Information Security professionals, how has your position as a recruiter changed and evolved?

Lee: When I began recruiting 13 years ago, not many people had ever heard of a recruiter who specialized in Information Security – so there was a great burden of proof on my part to demonstrate that I understood both the technology and the industry to candidates.  Information Security professionals are a skeptical bunch.  It was very important to establish credibility and earn trust, by only promising what I was able to deliver.

I believe that after 13 years, both my firm and I have established a solid reputation and credibility within the industry and among the professionals.   Most of the people that we have worked with, we have done so for quite a while, throughout their career development.    Many of those professionals have passed on their positive experiences to their peers – and our reach has expanded.

It is my hope that through the years of working in the industry we have been able to help elevate the recruitment profession and inspire a different response when people hear the terms “recruiter” or “head-hunter”.

Erik: I understand that Mike Murray and you are working on a podcasting series called “Career Incident Response”? What is that about?

Lee: Mike and I have been speaking on the topic of Career Management for quite some time at RSA Conferences, DefCon, and The Source Conference.  We came up with the idea for a “Career Incident Response” podcast series due to the fact that so many people were coming to us either because they were a victim of a layoff, felt that a layoff was imminent, or had witnessed bad things happening to their industry peers.

The Career Incident Response podcast series will be outlined like a training course.  It will provide a guideline to what people can expect – from items that include evaluating your work situation,  the personal and emotional impact of job loss, how to effectively search for a position,  how to prepare your resume, and some basic ways to address difficult interview questions.

Note: The Podcast Series is scheduled for release on or about May 15th, 2009 on  www.infosecleaders.com.  Art of Information Security will post an announcement when the release happens.

Erik: If someone is working with a recruiter, what should they be doing to get the most value out of that relationship?

Lee: I believe that the most important item is honesty, which is driven by trust.  People generally like to keep things close to the vest when they are engaged in a job search and become cryptic about things such as timetable, other opportunities, their current work situation, and compensation.  The more accurate information that a recruiter has, the better that they can help assist you.

The other thing is that people should work with recruiters that understand their profession and can provide them with something more than a job description.  It should be imperative that the recruiter has industry experience, no matter which industry you are in.

For example,  if I was a real estate attorney, I would want to work with recruiters that either placed attorneys, or ones that worked with real estate clients.

Erik: What are some signs that people are working with the wrong recruiter for them?

Lee: The biggest sign is when they do not add any value to your search process that goes beyond the current opportunity that they are working on.  Many recruiters comb job boards and social networking sites, looking for key words, without understanding how they fit in.

Information Security is not a “key word” business.  There are many different segments of our industry and it is comprised of many different skill sets.   If a recruiter cannot differentiate between these skills and how you fit, then you are probably working with the wrong one.

Erik: If you could communicate one thing to someone who is trying to manage their career, what would that be?

Lee: The one thing that I would stress would be to strive to differentiate from your peers.  The industry is going to become more and more competitive, and competition for the best positions is going to increase, being able to tell that story is going to be critical to achieving your long term career goals.

Erik: In your practice, what are some of the key differentiators that you are encouraging people to pursue?

Lee: I hate to be vague, but the best thing that I can tell anyone is to make consistent investments in their career and career development.  This can include certifications, training, personal development, career coaching, etc – but investing in yourself and your career is going to be critical to differentiating from your peers and competition.

Erik: You in fact have been working on a Career Investment and Differentiation presentation. What are some of the key points you are trying to communicate?

Lee: The key point of this concept is that it is up to you – the individual – to manage your career.  You are the one that has to seek out guidance, and plan for your future.   Do not expect your company to do it for you – you will reap the ultimate reward – so you should plan on making consistent sacrifices to attain these goals.

Erik: So, how much overlap should someone expect between their employer-driven professional development and their personal professional development?

Lee: Whatever you can gain from your employer’s personal development plan – by all means get.  However, you should understand why the employer is providing you with that stipend – it is so that it benefits them – not you.   If there is overlap – consider yourself fortunate.

AoIS Interviews Lee Kushner, Part 1

Let’s take a look at the Session Catalog.

See Who’s Speaking

I have my own personal list of folks who always have great presentations and really pack a lot of punch for me. But, the attendance at the conference is so diverse that my list would certainly not work for everyone. The conference itself measures and metrics speaker performance. You know those forms they hand you as you walk into the session? Turns out that they use that data, and they even share it with you. When using the Session Catalog and the printed materials, you may notice a star next to some of the names. These are the folks who have had the strongest feedback during past conferences.

If this is your first RSA, it may be worth your while to ask folks who have attended in the past and who have similar interests, which speakers stood out to them. If you are a member of the RSA Conference group on Linked In (link), you could even post a question about “Best Session for X”. (Which I have done…)

Preview The Slides

RSA has always made the slides available in advance. Usually this was on media (CD/USB) handed out at the conference. (So, “in advance” was day-before…) But now they are available for most sessions right in the Session Catalog. (Note, you need to be logged in to the site before you visit the page to see these.)

Post Session…

There is a lot of time and energy that goes into being a speaker. Please, help your speaker and the conference, and complete the evaluation forms. And, if a session clicks for you – don’t be shy – meet the speaker. Most of the speakers are presenting because they are committed to the mission and the profession. Participation and feedback are the biggest rewards any speaker can ask for from the audience – don’t hold back.

Hope this is helpful – see you in SFO.

Cheers, Erik

Optimize Your RSA, Part 2 – Session Tips…

Screen Now and Benefit All Year

I am very selective about the vendors with whom, I have  meetings.  Sure, I am missing out on free lunches, but the fact is that I don’t have endless time to meet with people.  As a result I screen, and whenever possible pre-qualify vendors. Most of the time I spend on the RSA Expo floor is spent identifying who I don’t need to meet with, and establishing whom I definitely do want to meet with in the following year.

Understand your Organizations or Clients Needs !

In general you should have a good understanding of your employer or clients… Some key things to understand before heading out to the exposition:

Q: What are the emerging needs of your organization?

What are the areas of concern for your CISO, Risk Mgmt., LOB partners, or other important constituents? In the week or two leading up to RSA, I ping my CISO, key LOB partners, etc. to find out what concerns they have, what vendors have been hounding them for meetings, what alternatives they may need, etc.

Q: What products or services are subject to change?

I feel that, even for our deployed products, it is incumbent on me as a good corporate citizen to make sure those products are still competitive in the market. Information about the competition is especially important during contract renewals. No one negotiates a win-win deal without being fully informed.

Q: Who are you key partners, and what new offerings do they have?

Who are the top vendors whose products you have, and love? Make sure to take the opportunity to visit them, understand emerging features, and make sure that you are getting the most out of your existing investment.

Q: Who will your organization generally buy or not buy from?

Many organizations have firm rules about the types of organizations they will purchase from; know what these are. My experience is that if a product is truly compelling, there is always a way for purchasing to see that and make a deal happen. But, if you sense a weak offering from a company, that is going to be a hard sell to your organization, save time for both you and the vendor – tell them, and move on.

Be There Monday Night

Monday evening at RSA, the Expo opens to Delegates only. The fact that there are fewer people on the expo floor, the booth people are not burned out, and the free food makes this the ideal Expo floor time.

Arrange Key Visits In Advance

As I already mentioned, I try to pre-qualify vendor meetings. There are folks whom I know that I need to be meeting with (established relationships, emerging solutions, emerging risk needs, etc.) and there are a number of folks I know I don’t want to wast time on (lack of compelling product story, people who wasted my time in the past,etc.), but there are also a number of folks in the gray area in-between.

From November on, I start asking folks in the gray area if they are going to have an Expo presence at RSA. If they are, I ask for them to follow-up with me before the show with a booth # and contact name. After I arrive on-site and have the conference book in hand, I add to the list. I avoid setting up specific times, because with everything that happens at the show my schedule is too dynamic.

For each of these “quick meet and greets”, I prep one of my business cards in advance. I have the booth #, contact name, and subject clue on the back of the card. If my contact isn’t at the booth, I leave the card. When you in fact follow-up, you build credibility and relationship, even if there is no service to need synergy at this time.

Be Quick and Targeted

If the printed information, name, etc. on the booth catches my eye, I stop for a quick visit. I try to get the facts quickly, in 3-6 min. The secret is to not be afraid to ask tough questions quickly (but politely), such as:

• What’s compelling about your offering?
• Who is your primary competition?
• Do you have hard data, or a case study you can forward to me?
• Do you have reference accounts for the use cases that are most important to my organization?
• What industry analysis (Gartner, Burton, etc.) has been published on this space? Was your product included?

Be Specific About Follow-up

If I have an immediate need, I ask for contact info and I initiate the follow-up before I leave the show. If I am interested in follow-up for a long-term, or next budget cycle, etc. then I usually ask for follow-up later in the year (e.g. Q3/4). Q2 is always a very busy time for me and the people around me, so I try to defer long-term information and knowledge capture until later in the year.

Hope this is helpful – see you in SFO.

Cheers, Erik

Optimize Your RSA, Part 1 – Expo Management

If you are attending RSA 2009, and plan to be in San Francisco all day on Monday, take a look at the available Pre-Conference 1-day Tutorials (RSA has added a number, and there are many to choose from). There is an additional fee for these Tutorials but based on the feedback from last years class, it was worth it.

Neither Dan nor I work for a vendor or supplier in the space.  We both work for Fortune 500 corporations that have real-world Identity and Access Management challenges (with real-world obstacles). If you are a Linked In member, profile (link) has some endorsements related to this class, as well as other presentations.

Cheers, Erik

Max the Identity & Access Management in Your RSA 2009…

In Part 2 of the interview Michael discussed how network threats, and network counter measures have been evolving. He also touched on the development of his book. Here goes the final installment in this series…

Erik: What would be your recommendations for folks who are adopting Linux (either enthusiasts or corporations) in terms of properly protecting their hosts and networks from network attacks?

Michael: I think that deploying host and network firewalls is a great first step here, and iptables functions admirably. Many people in corporate environments are concerned about the questions of performance, manageability, scalability, and support, and iptables together with some third party software have decent answers to these concerns. For example, the fwbuilder project provides good graphical support for the display and manipulation of iptables policies, and large Linux distributions such as Red Hat and SuSE offer commercial support.

Beyond having proper firewalls deployed, intrusion detection systems are a critical piece to point the way to attempted (and sometimes successful) compromises. Also, strong security mechanisms such as SELinux can provide a powerful barrier to attempted malicious usages of hosts. Finally, patch early and patch often.

Erik:  Do you have any tool or reference recommendations for debugging IP tables firewalls?

Michael: For debugging iptables policies and maintaining tight controls on the type of packets that are allowed to traverse those policies, one of the best techniques is to use tcpdump either on the end points or on the firewall itself (and these may be the same system) and watch how network traffic is allowed to progress. For example, a SYN packet to a port that is filtered will not respond either with a SYN/ACK or a RST, and seeing this behavior with tcpdump is quite easy. At the same time, understanding where in an iptables policy packets are getting dropped (or otherwise messed with) is usually made clear by watching how packet and byte counters are incremented on particular iptables rules. Use ‘iptables -v -n -L’ for this, and couple this with the ‘watch’ command to see how things change. Beyond this, if you have a kernel compiled with support for the iptables TRACE target, then you can use an iptables TRACE rule that causes all packets hitting this rule to be logged. Lastly, for really advanced debugging of iptables code itself, the nfsim project provides a simulator for running Netfilter code within userspace (and hence the ability to test code before running it within the kernel itself where a bug can have dire consequences). The nfsim project can be found here:

http://ozlabs.org/~jk/projects/nfsim/

Erik: So, you obviously are deeply connected to all things Network IDS/IPS. What kinds of trends have you seen in 2008? Were there any new attack styles that surprised you? Do you have any ideas about what 2009 may hold?

Michael: Well, 2008 will certainly go down in history as the year that people were forced to really pay attention to DNS by the Kaminsky attack. One thing Dan did really well is make it clear just how important DNS is for literally everything on the Internet, and how a flaw there has implications that are difficult to over estimate. Online banking, acquiring SSL certificates, SMTP, “forgot my password links”, and countless other infrastructures depend on DNS information being correct. But, then there were also serious issues in 2008 with BGP and with SSL, so if there was any trend in 2008 I would say that it was the year of security flaws in big Internet infrastructures. In 2009, it will be interesting to see whether this trend remains true for as-yet undiscovered vulnerabilities in other important systems.

Erik: Has your support for open source helped you professionally?

Michael: Absolutely. My current position as a Security Architect on the Dragon IDS/IPS developed by Enterasys Networks is a role that my open source work helped me to acquire. Many forward looking innovations are created by the open source community, and understanding this community helps to guide many companies and the products they develop. Companies are recognizing the power of open source software more and more, and this translates to better professional positions for open source developers and technology enthusiasts.

Many Thanks to Michael !

Thanks a ton for the time and energy you put into this, the first of what I hope will be many, interviews with notables from around the Information Security community.

Thanks, Erik

AoIS Interviews Michael Rash, Part 3

I noticed a great article today on  Xavier Mertens‘ /dev/random blog (which by the way has several great posts that have caught my eye…), on SSH tunneling -> “Keep an Eye on SSH Forwarding“.

In addition to providing a solid introudction to SSH Port Forwarding Xavier also discusses:

• Using SSH as a SOCKS Proxy via the SSH Server
• Logging port forwarding
• Restricting  ports that can be forwarded

Check it out.

Cheers, Erik

Even more SSH – Great Article on /dev/random

The Art of Information Security continues our interview with Michael Rash, Network Security expert and the driving force behind several open source security tools including PSAD, FWSnort, and FWKnop.

In Part 1 of the interview Michael discussed how he came to be involved in Network Security and Intrusion Detection system design. Here in Part 2 we get a little deeper into Michael’s philosophy on Network Intrusion Protection and discuss more open source tools that he is involved with the develop and support of.

Erik: How do you see network based attacks changing ?

 Michael: Over time, I think network based attacks will continue to be more automated and therefore accessible and deployable by more people. When it comes to educating oneself on the details of network insecurity, excellent projects such as Metasploit, Nessus, and Nmap point the way – and this is essential also for people trying to defend networks too. We will see more attacks delivered over IPv6, and we will see ever more clever ways to exploit the natural tendency of people to trust data in ways they shouldn’t. For me as a person trying to protect networks, the later is the most worrisome. A good example of a new and clever attack is “in-session phishing” as described here (Arstechnica link).

Erik: The firewalls that I run are utilized as host based protection. As you see network security becoming increasingly important, do you see the firewall “concept” become a hybrid of network protection layered over host based network controls?

Michael: With good firewall implementations (such as iptables) that do not place undue burdens on network processing that takes place on hosts, I do believe that firewalls will be viewed more and more as an essential protection mechanism for the host. The network perimeter will also continue to be an important deployment point for large firewalls to enforce global policy, but limiting the damage a successful exploit against an internal system is a problem that such an external firewall is not well-suited to address. Having a hardened network security stance on each host can provide an important benefit in this area. Further, as firewalls offer more application layer processing features, hosts can deploy customized policies that define sets of application layer data (derived from Snort rules) that are unfit for communicating with local sockets.

There are challenges though regarding managing all of those host-level firewall policies, and this is where some patience and scripting ability can play a roll.

Erik: And then came FWSnort? What were the principles that drove the development of FWSnort ?

Michael: The fwsnort project was inspired originally by the snort2iptables script written by William Stearns. This was back in the Linux 2.4 days when the string match extension was still distributed within the patch-o-matic system from the Netfilter project. Being interested in intrusion detection and firewalls at the same time, it was a goal of mine to see how far iptables could be taken in the direction of detecting (and blocking) malicious traffic. The snort IDS had a well-developed signature language, and at that time the signatures were still free and released under the GPL. So, it was natural to try and extend the snort2iptables code, and fwsnort was created.

The main goal of fwsnort is to use facilities provided by iptables to recast Snort signature sets within iptables policies. A clean translation is not always possible particularly with complex Snort signatures that use regular expression matching (because no regex engine is available to the iptables code running in the kernel), but many Snort signatures can faithfully be translated.

 Erik: Was your vision that PSAD and fwsnort teamed up as host IDS dynamic duo, or more as services that strengthen network firewalls?

Michael: Ideally I would say both here. The difference between the two types of deployments is negligible from psad and fwsnort’s perspectives – both can be deployed just as effectively against the iptables INPUT chain (for packets directed at the local system) as the FORWARD chain (for packets directed through a network firewall). The effect of not deploying host firewalls is that the outside of the network may be protected by a crunchy shell, but the inside is a chewy center. If any system can be compromised internally on such a network, an attacker is presented with few barriers to additional actions once the perimeter is breached.

 Erik: But wait – there’s more ! You are also the driving force behind FWKnop !

Michael: Thanks for mentioning fwknop. This project has received a large percentage of my attention in the last year or so. It was started originally in 2004 as the first port knocking system that added passive OS fingerprinting as an authentication parameter, but in 2005 Single Packet Authorization was added. SPA solves many of the protocol limitations that are built into port knocking (ease of replay attacks, lack of decent data transmission, and difficulty of scaling to many users), and takes the idea of “default-drop” to a new level. That is, a service such as SSH is itself made completely inaccessible before the lightweight SPA packet is passively sniffed and the firewall is reconfigured to allow access only if the SPA packet is valid. This essentially combines techniques from the IDS world (passive packet sniffing) with techniques from the authentication and authorization world (encryption and the like).

Erik: And how did the book come to be ?

Michael: I have generally tried to capture my thoughts on computer security by writing them down. In 2001 I started writing articles, and wrote a few for the Linux Journal after working with Jay Beale on the Bastille Linux project. From there, I joined Jay with writing material for Snort books for Syngress. My open source development interest has always remained in IDS and firewall technologies, so I eventually decided to write a book about the two together. The result was the No Starch book. Let me just mention here that if any of your readers is interested in writing a book, I can wholeheartedly recommend No Starch as an absolutely fantastic publisher to work with.

Stay Tuned for Part 3

Part 3 of this series is coming soon, with more discussion about network security as well as the impact that contributing to open source tools has had on Michael professional opportunities.

Cheers, Erik

AoIS Interviews Michael Rash, Part 2

This post is going to focus on building and applying a Host Firewall using the IPTables functionality that is built into Linux. (If you are already lost, try googling “securing linux with IPTables”, and check out the resources section below.)

Please note: This Secure Your Linux Host series is very hands-on.  The tools and tips that will enable you to use a Host Firewall are coming, but let’s lay the foundation for using them first…

What is a Host Firewall?

When the concept of Firewall is mentioned, the most common meaning that comes to mind is a network services control between networks. Over 90% of the information that you can find on Firewalls is targeted at people who want to protect systems on one network (such as their corporate or home LAN) from systems on another network (generally the internet), while permitting a list of known services to be accessed by one network from the other. There are in fact several effective strategies for using Network Firewalls as boundaries between networks, or network segments.  For a detailed introduction (or tune up) on this subject, please refer to the NIST document in the resources section below, or click here for a great SANS introduction.

A Host Firewall is different in that it exists to protect and control access to a single system from all others. Common scenarios a Host Firewall is well suited to address:

• Host is in direct contact with the Internet (or other hostile network)
• Host is located in a DMZ
• Host cannot trust systems on its network segment
• Host has high control expectations due to legal, regulatory, audit, or risk requirements

If you have servers that are hosted in a data center or directly connected to a broadband/DSL connection and, as a result, are in direct contact with the internet, then I highly recommend configuring a Host Firewall. Systems that are in this situation will be attacked from other systems all over the globe all of the time. There are so many attackers who are running probing scans across the entire network space of the Internet that you will get scanned. The recent log information that I supplied on http scans and ssh password attempts is an example of how any host (no matter how insignificant) will be regularly attacked.

OK –  so what if the host is behind a firewall in a DMZ with other hosts (such as the www and SMTP, hosts in this illustration)? Most DMZ networks do not provide protection against attacks from other “peer” hosts in the DMZ. The problem that this presents is that, in the event that one host in the DMZ becomes exploited, then it can be used to probe and attack all of the hosts in the DMZ. Even worse, if a single host in the DMZ falls prey to a Worm or other self-propagating threat, then all similar hosts in the DMZ can be rapidly infected.

The “Host cannot trust systems on its network segment” argument for a Host Firewall is almost identical to the DMZ argument. Why provide access to services on the box to systems that do not need them?

The last point is about high-risk or highly-regulated systems. The rules on a Host Firewall are much simpler to review and understand (but perhaps not manage) than the rule set on a network boundary Firewall. This can have two major  advantages. First, it can make it much easier to provide complete and frequent reviews of the Firewall rule set. Second, it can remove confusion, limit scope, and simplify formal audits of the network access that the given Host has.

Isn’t Linux Secure by Default?

Many Linux distributions and commercial operating systems advertise that they ship in a “fail safe” or at least “start safe” mode; let’s assume that to be the case. When you install any operating system, the first thing you do is start installing software and applications. With each application that you install, you may be exposing services to the network.

With a Host Firewall, you will know precisely what services you are and are not exposing. As you know from Part 1, I run a Mail Transfer Agent so that email to root, events, etc. is in fact delivered to an email account I actually use. Running a Host Firewall dramatically raises my confidence that I am not a SPAM relay – sure, I think I configured the MTA properly… But with the Host Firewall I know that only services on my host (via 127.0.0.1) can send email. Running a LAMP server provides a very similar situation. With the Host Firewall in place, I know that MySQL isn’t accessible on its native ports to the world.

So, What is the Downside?

The reason that more systems are not running a Host Firewall is a lack of management tools. If you have a small number of hosts that you are administrating, then adding and managing a Host Firewall is not much work at all. But, if you have a hundred servers with a mix of operating systems, split into several data centers, suddenly managing Host Firewalls is not only a nightmare but may be causing more operational risk than is acceptable.

Every modern operating system (Linux, Unix-*, Windows, System/Z, openBSD, etc.) comes with a built in Host Firewall capability. What is needed is tooling that enables both centralized management and harmonization with network boundary Firewalls. (Unfortunately, I won’t be able to provide that in this series!)  The vendors with the best management of the network boundary Firewalls tend to be the manufacturers of those Firewalls, and they would be the most logical group to expand their existing management capabilities into the Host Firewall space. But, I do not think that anyone has developed a revenue model to justify that as worth the investment. (Hope springs eternal!)

What’s Next?

In the next installment, I am going to walk through the actual artofinfosec.com Firewall. (No B.S. “Security Through Obscurity” here!) And then in the following segment, I am going to discuss tools for monitoring and adding countermeasures to the Host Firewall.

Resources

• Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables (html, pdf)

This is a great introduction to building a Host Firewall. (The html site version seems like a paraphrase of the Sun Blueprint document pdf.) It is a resource that I return to time and again. The firewall example provided here includes full egress control, and the article walks the reader through the firewall step-by-step. The description is for a very controlled Host Firewall, so controlled that I in fact found myself moving to a simpler implementation.

• NIST: Guidelines on Firewalls and Firewall Policy (pdf)

The NIST documentation (as usual) provides a great 360-degree medium-depth introduction to the topic. If you currently, or are about to, manage firewalls as part of your network security function, then read this guide!

Cheers, Erik

Secure Your Linux Host – Part 3: Why A Host Firewall ?

The Art of Information Security has the great pleasure of interviewing Michael Rash. Michael holds a Master’s Degree in applied mathematics with a concentration in computer security from the University of Maryland.  He is the founder of cipherdyne.org, a website dedicated to open source security software for Linux systems, and works professionally as a Security Architect on the Dragon IDS/IPS for Enterasys Networks. He also is the author of “Linux Firewalls: Attack Detection and Response with  iptables, psad, and fwsnort”  (Sample chapter and more information here) published by No Starch Press.

When I started the Art of Information Security blog, I felt that it was important to appropriately lock down the host. It would be an unfortunate irony to have the server hosting a security blog “owned” by some script kiddy. So, of course AoIS runs a firewall. I had been using iptables firewalls on Linux for a while, and there were a few things that I felt were lacking from the set-ups that I had in the past. One was the ability to understand that the firewall is working. A solid firewall generates logs – but what do you do with those? And, what do they tell you? Second, I knew that I should be able to detect certain types of automated attacks and block those IPs. There are so many improperly configured hosts to attack that a few simple countermeasures go a long way. Third, I have also been very interested in running host IDS/IPS, but all the requirements to run Snort for a single host seemed a bit too much. Alas, I ran to cipherdyne.org and the great tools sponsored (and authored) by Michael.

Erik: So, Michael, Network Security is obviously more than just a job for you. How did you come to be involved so deeply in Network Security and Intrusion Countermeasures?

Michael: During the late 1990′s I was introduced to intrusion detection on a large ISP’s network, and that experience coupled with learning networking protocols sparked a deep and abiding interest in network security. This interest eventually led me to systems programming on Linux, and to the internals of systems that need to be protected. The constant game of cat and mouse played by attackers and defenders in the network security world never ceases to provide new directions for security research, and thanks to the open source development model, many of the techniques to defend systems can be investigated and contributed to by anyone.

Erik:  So when did you get the idea for PSAD?

Michael: In 1999 I started working with Jay Beale on the Bastille Linux project. At the time, both portsentry and Snort were around and were designed to detect network attacks (with the former only focused on port scans). Because Bastille was designed to harden the security stance of the host, a strong iptables policy was built in by Peter Watkins. With the strategy implemented by portsentry of listening on sockets in order to detect port scans (see the this link for why this is less than ideal from many perspectives), we needed a way to detect port scans in a manner compatible with Bastille’s iptables policy. The result was a portion of Bastille initially called “Bastille-NIDS”, but I eventually split it off as a dedicated project, and called it “PSAD”. An option would also have been to just write a configuration utility for Snort, but there would still have been a void since no tool really analyzed iptables log messages for suspicious activity. I made it my goal to try and fill this void mostly because the data source provided by iptables log is quite rich and has a lot to say.

Erik:  On your website you identify three principles around which PSAD was developed. Why are these important? How does PSAD accomplish them?

1. Good network security starts with a properly configured firewall
2. A significant amount of intrusion detection data can be gleaned from firewalls logs
3. Suspicious traffic should not be detected at the expense of trying to also block such traffic

Michael: Network security is more relevant for more people today than at any other point in Internet history. Important infrastructure is increasingly being put online (such as online banking access), and the threats are evolving to compromise this infrastructure. The default stance of many operating systems is to listen on several services to make things easier for users, and while many OS’s (particularly mainstream Linux distributions) offer to configure firewall policies, many users elect not to go through with this step. Sometimes people are too busy to maintain a properly configured firewall, or they reason that the local border firewall is sufficient. Firewalls should always be configured in a default-drop stance in order to provide an additional layer of protection for any vulnerable services that may be listening. For Linux systems, psad helps to verify that the local iptables policy is configured in this manner.

Firewall logs are also an important area to pay some attention. Although firewall logs cannot replace the full packet capture and logging capability of many intrusion detection systems, they can still be a valuable source of data to highlight efforts to break into systems. With a logging format that is as complete as provided by the iptables logging infrastructure, it is possible to detect and differentiate most types of nmap scans, passively fingerprint remote operating systems, detect probes for back doors, and more. The process of parsing iptables logs to look for these kinds of activities is automated by psad.

Finally, just detecting malicious traffic will always play second fiddle to an effective mechanism for also blocking such traffic. The iptables firewall is a well-tested piece of code that runs inline to the packet data path. Hence, it is a strong weapon to block suspicious traffic with a default drop stance before such traffic is allowed to target internal systems. By using the iptables string match extension, iptables blocking actions can even be tied to the inspection of application layer data.

Stay Tuned for Part 2

Part 2 of this series is coming soon, with more discussion about network security and open source security tools. More information is available on PSAD at http://www.cipherdyne.com/psad/. (Oh, and PSAD will be featured in an upcoming installment of the AoIS Secure Your Linux Host series !)

Cheers, Erik

AoIS Interviews Michael Rash, Part 1

Interesting Series by ISS X-Force on SSH

Just this morning I ran across a three part series on SSH published last year in IBM’s Internet Security Systems X-Force Threat Insight in the following issues:

• X-Force Threat Insight Monthly – April 2008
• X-Force Threat Insight Monthly – May 2008
• X-Force Threat Insight Monthly – June 2008

X-Force expresses a slightly different set of concerns, and solutions. One topic that I did not touch on was the use of ssh agents for the management of sessions. Part 3 (June) is almost entirely focused on that.

Logwatch Samples

One of the great things about the script kiddies is they are keep testing your security for you ! Below is a mash-up and edit-down of the last few days of ssh related itms from my logwatch logs. Logwatch really has become one of my favorite tools. I don’t have tons of attacks on my servers, but there is always enough activity in the logs to let me know that the controls and countermeasures are up and running. After installing fail2ban, I always have some activity in 24 hour period of time. 

And a tip for the paranoid – if you have Failed logins and Illegal users but no fail2ban activity – then fail2ban has stopped running (or worse…).

——————— fail2ban-messages Begin ————————
Banned services with Fail2Ban:
Bans:Unbans  
ssh: [ 6:6 ]  
ssh: [ 4:7 ]  
ssh: [ 6:5 ]
ssh: [ 5:3 ]
———————- fail2ban-messages End ————————-

——————— SSHD Begin ————————
Failed logins from:
75.xxx.109.82 (75-xxx-109-82-Indianapolis.hfc.comcastbusiness.net): 1 time
79.xxx.248.27 (host27-xxx-static.38-79-b.business.telecomitalia.it): 1 time
200.xxx.209.156 (dedint-200-xx-209-156.mexdf.axtel.net): 3 times
59.xxx.92.26: 6 times
88.xxx.16.23 (…): 7 times
119.xxx.154.57: 6 times
203.xxx.198.3 (…): 6 times

Illegal users from:
60.xxx.249.90 (…): 3 times
75.xxx.109.82 (…): 3 times
79.xxx.248.27 (…): 3 times
200.xxx.209.156 (…): 2 times
202.xxx.28.244 (…): 3 times
85.xxx.133.177: 4 times
193.xxx.161.136: 4 times
———————- SSHD End ————————-

Cheers, Erik

More SSH Anyone ?

More information is available her:  Stockholm University article.

The thing I find most interesting about this is that the US Supreme Cort has already determined that Lie Detectors are unreliable. From Wikipedia article on the polygraph:

In the 1998 Supreme Court case, United States v. Scheffer, the majority stated that “There is simply no consensus that polygraph evidence is reliable” and “Unlike other expert witnesses who testify about factual matters outside the jurors’ knowledge, such as the analysis of fingerprints, ballistics, or DNA found at a crime scene, a polygraph expert can supply the jury only with another opinion…”.

One of the things I find most interesting about the challenge of “testing” lie detectors is that no testing, such as the tests performed my Emily Rosa to debunk Therapeutic Touch, have ever been offered with can objectivity demonstrate the that they even work.

Cheers, Erik

Lie Detector Libel

And so SSH (aka Secure Shell was developed)… But it has not been without its failings. There are two “flavors” for SSH: Protocol 1 and 2.  Protocol 1 turned out to have pretty serious design flaws. The hack of SSH using the Protocol 1 weaknesses was featured in the movie Matrix Reloaded. So, by 2003, the flaws and the script kiddie attack were understood well enough to have the Wachowski Brothers immortalize them.

Another concern to watch out for is that SSH has port-forwarding capabilities built into it. So, it can be used to circumvent web proxies and pierce firewalls.

All in all though, SSH is very powerful and can be a very secure way to remotely access either the shell or (via port forwarding) the services on your host.

For additional information on SSH’s port-forwarding capabilities:

• SSH Tunneling Explained
• OnLAMP Article

Be aware that SSH is part of a family of related utilities; check out SCP, too.

Configuration

After installing the SSH server (perhaps: apt-get install openssh-server), you will want to turn your attention to the configuration file /etc/ssh/sshd_config

Here are a few settings to consider:

Protocol 2
PermitRootLogin no
Compression yes
PermitTunnel yes
Ciphers aes256-cbc,aes256-ctr,aes128-cbc,aes192-cbc,aes128-ctr
MACS hmac-sha1,hmac-sha1-96
Banner /etc/issue.net

1. The “Protocol” setting should not include “Protocol 1″. It’s broken; don’t use it.
2. PermitRootLogin should never be “yes” (so, of course that is the default !). The best option here is “no”, but if you need or want to have direct remote root access (perhaps as a rescue account), then the “nopwd” option is better than “yes”. The nopwd option will force you to set up and use a certificate to authenticate access.
3. Unless your host’s CPU is straining to keep up, turn on compression. Turn it on especially if you are ever using a slow network connection (and who isn’t).
4. If you are not going to access services remotely using SSH as sort of a micro-VPN, then set this to “off”.  Because I use the tunneling feature, I have it turned on.
5. OK; I work and consult on cryptographic controls, so I restrict SSH to the FIPS 140-2 acceptable encryption algorithms.
6. Likewise, I restrict the Message Authentication Codes (MACS) to stronger hashes.
7. Some jurisdictions seem to not consider hacking a crime unless you explicitly forbid unauthorized access, so I use a banner.

Sample Banner

It seems that (at least at one point in the history of law & the internet) systems which did not have a login banner prohibiting unauthorized use may have had difficulty punishing those that abused their systems. (Of course, it is pretty hard to do so anyway, but…) Here is the login banner that I use:
* - - - - - - - W A R N I N G - - - - - - - - - - W A R N I N G - - - - - - - *
*                                                                             *
* The use of this system is restricted to authorized users. All information   *
* and communications on this system are subject to review, monitoring and     *
* recording at any time, without notice or permission.                        *
*                                                                             *
* Unauthorized access or use shall be subject to prosecution.                 *
*                                                                             *
* - - - - - - - W A R N I N G - - - - - - - - - - W A R N I N G - - - - - - - *
Account Penetration Countermeasures

Within hours of establishing an internet accessible host running SSH, your logs will start to show failed attempts to log into root and other accounts. Here is a sample from a recent Log Watch report:

--------------------- SSHD Begin ------------------------
Failed logins from:
58.222.11.2: 6 times
211.156.193.131: 1 time
Illegal users from:
60.31.195.66: 3 times
203.188.159.61: 1 time
211.156.193.131: 3 times
Users logging in through sshd:
myaccount name:
xx.xx.xxx.xx: 3 times
---------------------- SSHD End -------------------------
One of the most effective controls against password guessing attacks is locking out accounts after a predetermined and limited number of password attempts. This has a tendency to turn out to be a “three strikes and you’re out” rule.

The problem with applying such a policy with a remote service, like SSH, as opposed to your desktop login/password, is that blocking the password guessing attack becomes a Denial of Service attack. Any known (or guessed) login ID on the remote machine will end up being locked out due to the remote attacks.

Enter Fail2ban: Rather than lock out the account, Fail2ban blocks the IP address. Fail2ban will monitor your logs, and when it detects login or password failures that are coming from a particular host, it blocks future access (to either that service or your entire machine) from that host for a period of time. (Oh, and you may notice I said blocks access to the “service”, and not “SSH” – that’s because Fail2ban can detect and block Brute Force Password attacks against SSH, apache, mail servers, and so on…)

How to Forge has a great article on setting up Fail2ban - Preventing Brute Force Attacks With Fail2ban - check it out.

One tweak for now. As I tend to use certificate authentication with SSH (next topic), I rarely am logging in with a password. As a result, I tend to use a bantime that is long, ranging from a few hours on up. Three guesses every few hours really slows down a Brute Force Attack! Also, check out the ignoreip option, which can be used to make sure that at least one host doesn’t get locked out. (You can lock yourself out with Fail2ban… I have done it…)

SSH Certificate Based Authentication Considerations

Secure Shell offers the ability to use certificate based authentication with a self-signed certificate. There are two ways you might consider using this:

1. With a password protecting the private key
2. With no password required

Please note: When you establish certificate based authentication with SSH, you will generate a public/private key pair on your local computer. The public key will only be copied up to the server which you wish to access. The private key always stays on your local computer.

During the process of generating the private and public key pair, you will be asked if you want to password protect the private key. Some things to consider:

• Will this ID be used for automated functional access ?

If you are creating the certificate based authentication so that a service can access data or run commands on the remote machine, then you will not want to password protect the local file. (If you do, you will end up including the password in the scripts anyway, so what would be the point?)

Personally, I have backup scripts which either pull data or snapshots on a regular basis. Google “rsync via ssh” for tips on this, or “remote commands with ssh” for tips and ideas. (Also, I may cover my obsessive compulsive backups in a later post.)

• This ID will be used for a rescue account

In this case the certificate is usually created to avoid password expiration requirements. If it is a rescue account, it often logs into root. Any time you use certificate access for root, the private key should be password protected. Rescue accounts are often stored on centralized “jump boxes” and are expected to only be used during a declared emergency of some kind (such as full system lockout due to a password miss-synchronization.)

These private keys should always be password protected.

If someone has access to backups or disk images of the jump box, or otherwise gets access to your .ssh directory, and you have not password protected the private key, then they own the account (e.g., they can use the public/private key pair from any box).

• Convenient remote logons…

The most common use of certificate based authentication for SSH is in fact to log you into the remote box without having to type passwords. (I do this, too…) But there are a few things to think about (these are all good general recommendations, but I consider them requirements when using an automated login…)

1. Automatic login should never be used on a high-privilege account (e.g., root)
2. If those accounts have sudo privileges, sudo should require a password
3. A new certificate (public and private key pair) should be created for each machine you want to access the remote server from (e.g., desktop, laptop, etc.).  Do not reuse the same files.
4. The certificate should be replaced occasionally (perhaps every 6 months).
5. Use a large key and use the RSA algorithm option (e.g., ssh-keygen -b 3608 -t rsa)

SSH Certificate Based Authentication Instructions

So, without further ado… Let’s set up a Certificate for authentication.

Part 1 - From the client (e.g. your workstation, etc…)

First, confirm that you can generate a key.

$ ssh-keygen --help

The options that are going to be of interest are:

• -b bits  Number of bits in the key to create
• -t type  Specify type of key to create

DSA type keys, you will note, have a key length of exactly 1024. As a result, I choose RSA with a long key. My recommendation is that you take 2048 as a minimum length. I am pretty paranoid, and I have a strong background in cryptography, but I have never used a key longer than 4096.

The longer the key, the more math the computer must perform while establishing the session. After the session is established, then one of the block-ciphers discussed above performs all of the crypto. If you are making a key for a slow device (like a PDA) or a microcontroller based device, then use a shorter key length. Regardless, actually changing the keys regularly is a more secure practice than making a large one that is never changed.

$ ssh-keygen -b 3608 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/erikheidt/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/erikheidt/.ssh/id_rsa.
Your public key has been saved in /Users/erikheidt/.ssh/id_rsa.pub.
The key fingerprint is:
43:69:d8:8e:c4:af:f8:8b:5a:2d:db:75:91:fd:06:be erikheidt@Trinity.local
The key's randomart image is:
+--[ RSA 3608]----+
|                 |
|     . o .       |
|      + =        |
|     . *   o     |
|      . S o o    |
|     o . . o o   |
|    + o . . . o  |
|   . * . .   o   |
|  ..o +.    E    |
+-----------------+
Now, make sure your .ssh directory is secured properly…

$ chmod 700 ~/.ssh

Next, you need to copy the public key (only) to the server or remote host you wish to login to.

$ cd ~/.ssh

$ scp id_rsa.pub YourUser@Hostname

Now we have copied the file up to the server….

Part 2 – On the Server or remote host….

Logon to the target system (probably using a password) and then set things up on that end…

$ ssh YourUser@Hostname

$ mkdir .ssh
$ chmod 700 .ssh
$ cat id_rsa.pub >> ~/.ssh/authorized_keys

Done ! Your next login should use certificate based authentication !

I hope this posting on SSH was useful.

Cheers, Erik

Secure Your Linux Host – Part 2: Secure SSH