Information Security Strategy

Access Control and Service Oriented Architectures

2013-04-28T11:16:00.002-04:00

What feels like an eternity ago, Access Control and Service Oriented Architectures was the title of my PhD thesis. While cleaning out some old SVN repositories on my home server before wiping and reinstalling it, I found a PDF copy of my thesis.

The PDF was never published in full for reasons that I do not recall. Either way, more than a way not to lose the work, I am posting it here now. If you are interested in the topic: go ahead and read it. However, as one of my former co-workers once said: "PhD theses are meant to be written, not be read."

Don't say I didn't warn you ;)

You can download the thesis here.

When to Declare an Information Security Incident and How to Respond When You Do

2013-04-26T09:46:00.000-04:00

In addition to the presentation with Don Becker and Vlad Grigorescu, I presented at this year's EDUCAUSE/Internet2 Security Professionals (ESP) Conference with Bob Henry.

This talk was of a more introductory nature, and stressed the need to have an incident response plan in place before things go bad. Any time that you can be in a position where you are responding in a premeditated way, rather than reacting and having to improvise on the spot, you are better off.

My role in the presentation was to talk a little about high-level cycles that pretty much all attacks go through, and what we, as a defender, can do to try and preventing those attacks from being successful, or failing that, to limit the damage that they do.

Bob then took the foundation that I built and went through a case study of an actual breach that he worked.

The slides are available at the EDUCAUSE web site.

How Advanced Log Management Can Trump SIEM: Tales of Woe and Glory

2013-04-23T21:31:00.002-04:00

Together with Don Becker and Vlad Grigorescu, I presented at this year's EDUCAUSE/Internet2 Security Professionals (ESP) Conference in St. Louis, Missouri. ESP is an annual conference bringing together about 400 security professionals who work in the higher education space. I have spoken several times before, and I really enjoy the interaction with the audience. The comments and questions are almost always 100% relevant to my daily practice.

In this talk, I explored the thought that log management sometimes will trump SIEM. Obviously, SIEM is stronger from a conceptual perspective, but integration issues, implementation problems and adoption by other technical units may often pose so much road blocks that a full SIEM deployment is not possible, or even desirable.

A point that I tried to make was that log management is actually a prerequisite for SIEM. I cheated a little bit, and decide to include log generation in the log management process. If your system does not generate logs that contain useful information, or if they are not readable by computers as well as by humans, you're at such a disadvantage that SIEM is simply impossible to do well.

Other than having a starting point in your logs, you'll also need to know what questions you want to ask. That is a ridiculously hard question. After all, if we knew what to look for ahead of time, being an information security defender would be a whole lot easier.

Unfortunately, the presentation was not recorded. However, the slides are available at the EDUCAUSE web site. Head over to the EDUCAUSE Conference Web Site and please let me know what you think.

Conference presentations

2013-04-12T21:05:00.000-04:00

On Monday, I'm flying out to St. Louis, MO for the annual EDUCAUSE/Internet2 Security Professionals Conference.

This year, I will participate in two presentations:

At 11:30 a.m., I will co-present When to Declare an Information Security Incident and How to Respond Once You Do. The presentation will provide a brief overview of information security offensive process and contrasts that with the defensive process. After my introduction, my co-presenter will kick off a case study in which we look at logs, find meaning, and figure out what happened.

Then, at I'm up again at 1:15 p.m., to talk about How Advanced Log Management Can Trump SIEM: Tales of Woe and Glory. The conference organization asked me to merge my presentation with somebody else, so that's going to take a bit away from the store that I wanted to convey. While the presentation is not what I hoped it to become, I think we still have an interesting talk lined up. We'll talk about the fact that operating a SIEM and getting meaningful (and actionable) data from it is ridiculously difficult, and that log management may, in many cases, be all you need. I'll provide anecdotal evidence of the fact that I decided to give up my SIEM for a log management solution, and that I have been very happy with the results. My co-presenter will then dive deep in how he built a solution based on open source projects.

If you are going to be in St. Louis, please say: "Hello!" I'll come in Monday afternoon around 3:30 p.m and I'm leaving again Tuesday afternoon.

OWASP AppSecUSA

2013-04-02T14:53:00.003-04:00

New York City has the honor of hosting this year's OWASP AppSec USA conference. As one of the conference's volunteer staff, I'm asking everyone who reads this to review the Call For Papers and to submit a proposal if you have something to share with the world.

The CFP is open until the end of April. If you submit a proposal, you'll hear by the end of May if your proposal was accepted.

Even if you cannot submit a proposal, please go ahead and block out the dates of the conference (Nov 18-21). Mid-town New York City is a great place to visit, and with about 2,500 attendees, the conference will be a great opportunity to learn and to maintain and/or build your professional network.

Are IT departments completely useless?

2013-03-10T09:50:00.001-04:00

Josh Corman retweeted Alan Mather who pointed me to an article on businessinsider.com that bears the ominous title IT Departments Have Become Completely Useless. The article tries to make a point that in many (most?) organization, the CIO doesn't actually deal with much information.

And it makes a few excellent points.

Way back, when I was still in college to take courses for my undergraduate degree in "information management and technology", one of our best professors always pointed out that, while we often talk about Information Technology, we generally focus on 'T', whereas it probably should be on 'I'.

Technology is something that many of us are comfortable with, it is something we can touch, something we can control, and just as importantly, something we can hide behind. But, technology just an enabler; focusing on the 'information' part of information technology will allow you to think long-term and, hopefully, make better decisions.

Fast-forward to the information security world. We do so much the same; how many of us focus on securing technology, rather than on focusing on protecting the organization for which we work? How many of us choose to hide behind firewalls, intrusion prevention systems, SIEM's, NAC devices, etc., while we should be out in the organization interacting with decision makers and operational staff alike?

While it has been repeated so many times in the past, we have to remember that information security consists of equal parts of technology, people and processes.

And don't get me started on the role of the security professional in organizational innovation. We must stop being roadblocks, and act more as innovation facilitators.

The article linked above is a good reminder of that.

Raising awareness concerning software vulnerabilities

2013-03-05T14:21:00.005-05:00

Software vulnerabilities that allow a large variety of badness to happen is something that all enterprise information security professionals need to address. Where, a decade ago, we were mostly chasing after operating system bugs, and shortly after that, middleware bugs, we now seem to be focused solidly on patching bugs in application land. Those bugs range from flaws in web browser software to vulnerable document viewers and code interpreters subject to attack and privilege escalation.

It seems that the latest round of 0-days is focusing a lot on Oracle products. Java has been in the spotlight for quite a few years now, and the security track record has never been stellar. However, 2013 seems to set a new, albeit dubious, high with regards to both the frequency at which vulnerabilities are discovered as well as the severity of those vulnerabilities.

To inform my fellow IT staff of that trend, I posted this little poster on the wall outside my office. Like many organizations, we rely on Java for several enterprise applications, and the primary goal of the poster was to raise awareness within the IT team that Java is software that should be treated just like an operating system.

In other words, manage versions wisely, migrate off branches that reach end-of-life before it happens, and apply patches whenever they are released, and do so fast.

I underestimated the response that I would get.

My Twitter feed, normally sedate, lit up with retweets and favorites and I would say about half of the IT staff that passes by my office on a regular day stopped by to have a little conversation about my "artwork". That gave me an opportunity to explain to many of them what it means when 0-days are out in the wild and patches are not available. A good number of them went back to their desks and either removed Java altogether, or they patched and updated it.

Even better, when I came back from lunch, creative individuals had already updated my poster for Java 7 update 17 that was released half than 30 minutes before that point! Talking about effective engagement: not only did I have a chance to explain 0-day badness to IT folk, they even ran with it and made it a collaborative group effort.

In another day or so, I'll take the sheets down again. Having them up any longer means that people will start ignoring them, and nobody wants that.

Project Management

2013-02-27T19:16:00.000-05:00

Project management is another one of those critical skills that is not often considered for an information security employee. Many of us run from one fire to the next, and we often do not have much time to work on projects of our own.

In some, rare, cases, we are invited to sit on a project team that is assembled to address an IT problem, but even if that is the case, we usually don't get included until the project is already well on its way.

However, that's not the point that I am trying to make!

One of the things that I need to explain regularly is that the project manager's task is to provide the logistics for the project team. In other words, the project manager doesn't get to decide when things should happen, or how tasks should be executed.

His task is that the actual project staff can do their work as effectively and as efficiently as possible. The PM does so by making sure that they have what they need, and that they are not bothered with details that distract from the tasks at hand. To do so, the PM shields the project team from unnecessary and unauthorized scope changes, and he makes sure that "stuff" is ready when needed.

Of course, the PM must watch the timeline, the budget, and the nature of the deliverables. But, that goes without say.

Situational awareness

2013-02-26T20:57:00.002-05:00

Cardinal rules of the information security officer.
This is posted on the wall of my office. It is
surprising how often I point at it and refer to a
specific rule during a conversation with my
co-workers.

One of the most fundamental rules that I preach in my practice is "No Surprises". There are a few more, but that is really the most important one. While co-workers and direct reports play an important role in the "No Surprises"-rule, every now and then I have to remind myself of the fact that I'm just as responsible for not springing any surprises on myself.

My personal situational awareness contributes to that rule. Between attempting to achieve and maintain network situational awareness, which provides me with a decent level of understanding what is going on in my infrastructure from a deep technical view (think: packets, flows, logs, etc), I also need to maintain business situational awareness.

For a hard-core techie like me, that is sometimes harder. However, knowing what my organization is up to from a business perspective is just as important, if not more so, than knowing what's going on from a technical perspective. Have our revenue streams changed? What does that mean for our critical processes and our sensitive data? Are my preventative and my detective controls still sufficient?

What global trends are affecting the way we do business? Are there new contracts coming down the pipeline that I should know about? Do we have any business partners that are being acquired, or who are acquiring other companies? All questions that are directly relevant to the information security practice, but are often overlooked.

The way to get to answers to these questions varies per person, and may be different from one organization to the next. One way to be in-the-know is to make sure that you are not perceived as a roadblock; information security must be seen as an enabler, and not as a hindrance Offering help to others on a regular basis, even if it is something that is out of your comfort zone and may not reap immediate short-term benefits, is a great way to cultivate that goodwill. Having lunch with non-technical people is another great way to learn about what's going on (yes, even auditors eat)!

In general, being in-the-know boils down to having people respect you.

Attend that corporate-wide event, even though you would much rather be knee-deep in packets. Being seen, really helps. Being polite helps even more. Finally, being perceived as somebody who knows what he is doing helps the most. Even if that means that you need to wear a suit and tie, or at least a jacket and a pair of nice dress pants when you leave the inner sanctum of security operations, it may be worth it. Try it; it will not hurt (much), and it does pay off in the end.

Once I have achieved personal situation awareness (network situational awareness and business situational awareness), I can pass it on to those who I work with. In the end, knowing what is normal is necessary to detect those pesky "deviations from the norm that can cause harm".

Using Teambuilding to Improve Performance for Geographically Distributed Information Security Professionals

2013-01-31T08:43:00.000-05:00

One of my GIAC Candidates just obtained her Gold certification by writing a research paper that is titled "Using Teambuilding to Improve Performance for Geographically Distributed Information Security Professionals". General leadership issues often fail to be addressed at some many of the conferences that we visit that I wanted to bring this one out to the forefront.

Many of us work from home, or are on the road most of our time. Yet, we are expected to function as a team, and one of the key ingredients for team building is that the members of that team have something in common and have an opportunity to work together.

In her paper, Julie points out that actively engaging in team building activities for your distributed infosec team really pays off. One very interesting observation in the paper deserves to be quoted verbatim:

"The most notable improvement came in the area of application security. Application vulnerability scans are conducted annually and after major application upgrades. The scans performed prior to training took weeks to resolve with corporate IA. There were prolonged email threads concerning how to mitigate certain results along with numerous teleconferences and individual phone calls. Similar scans, conducted after training, were resolved in one 30 minute meeting"

All-in-all, although not your typical infosec publication, this paper is worth reading.

DMCA Notices

2013-01-29T10:46:00.000-05:00

It is not a secret that I work in higher education, and with that territory comes the fun of dealing with DMCA notices. First of all, for those who have never seen one, let me share some of the background.

The digital millennium copyright act is a United States law passed in 1998 that protects the interests of copyright holders. It does so almost to the extreme.

In normal circumstances, the owner of a network or a system will be held liable for copyright infringements. One of the aspects of the DMCA is that it provides safe harbor to online service providers. That means that if one of my users infringes on somebody else's copyrights via my network, I will not be held liable for their actions if I do a few things. The most important aspect of the safe harbor provision is that the copyright holder, or somebody acting on their behalf, can send me a takedown notice. The law specifies that the takedown notice must follow certain criteria, and most copyright enforcement companies digitally sign the notices with PGP.

Until now, most copyright notices have been just that: a notice that somebody believes one of my users is sharing copyrighted materials, accompanied with the request to "make it stop" and pass the notice on to the owner. This past week, the notices started changing, and they now include a username/password to a website on which the user can log in to enter into a settlement agreement in order to avoid legal action!

The investigative process doesn't change; we're still checking to see if the message was sent to the right address, if digital signature is valid, if the required DMCA takedown components are present in the notice, and if we can find netflows that line up with the time of alleged sharing. If all of that does match, we find out whose computer was causing the flows, and we "make it stop". That concludes our infosec investigation and the case is handed over to the next stop in the process.

The whole DMCA process already didn't make me feel great, but now that we basically turned in to a messenger of "settle here of be sued"-message, it is even more distasteful.

Security Blogger Awards

2013-01-28T09:32:00.002-05:00

@451Wendy just pointed out that I have been nominated as a finalist in the The Most Educational Security Blog category of the 2013 Security Blogger Awards. Just the nomination by itself is a great reward and a motivation to continue writing! I'll keep my fingers crossed for a positive outcome! If you are a member of the Security Blogger's group, please head over to the voting page and do the right thing ;)

I'll try to keep the content coming as much as I can, and as much as time allows. I have just started teaching another full semester undergrad security course, so I'm sure some topics are bound to pop up. Major projects season is approaching rapidly too, so expect to see some more operationally-related things to come around also.

Thank you for the vote of confidence!

SANS Security Leadership Course

2013-01-15T18:06:00.002-05:00

I am in the process of putting together a SANS mentor class for the Security Leadership course. If you are interested in taking the class on-site with me, for about 2 hours a week during 10 weeks, please let me know. The fine people over at SANS have put together a web page with more information. We're looking to begin in a few weeks, but the actual start date is flexible to accommodate to the schedule of the students.

The curriculum is divided in a few main sections:

MGT512.1: Managing the Plant, Network, and Information Architecture
MGT512.2: IP Concepts, Attacks Against the Enterprise and Defense-in-Depth
MGT512.3: Secure Communications
MGT512.4: The Value of Information
MGT512.5: Management Practicum

Sounds interesting? Drop me a line before registering and I might be able to come up with a discount!

New blog: Technology Toolshed

2012-12-30T09:51:00.001-05:00

I started blogging about my experiments with Raspberry Pi computers on my Information Security Leadership blog. However, since hardware tinkering and Information Security Leadership are only slightly related (at best), I have decided to spin my technical musings off to a separate blog. If you are interested in what I am doing in hardware land, please subscribe to my Technology Toolshed blog.

(Update January 28, 2013: fixed typographic mess)

From password bruteforcing to identity federations

2012-12-10T11:53:00.003-05:00

I must have mentioned hundreds of times already, and, this should could not come as a shock: the age of passwords should have been over a long time ago. While there are reasonably good defenses against online password attacks, an attacker who is able to get a hold of an encrypted (or hashed) password database will bypass your defenses. An article on ARS Technica really drove that point home: 25-GPU cluster cracks every standard Windows password in 6 hours.

While these capabilities are not new, until recently they were believed to be only in reach of nation states. However, as the article points out, it is now possible to build your own bruteforce password cracker for less than $5,000.

Passwords will probably continue to play an important part of any authentication scheme for the forseable future, but our reliance on passwords as the only authentication factor has to end.

(True) two-factor authentication may help, as may other authentication approaches. The biggest problem with that, however, is user acceptance. People are just not willing to deal with having to move away from their trusted little password, because it still gives them a (false) sense of security. Carrying tokens (soft tokens or hardware tokens) is too inconvenient and it must be managed. And no, I really don't have a good solution.

At this point, Identity Federation seems to be an interesting avenue to pursue.

Let's see if we can move away from having an identity provider for each application we use, and instead, establish only a handful of them. Make sure that authenticating to a federated identity provider is secure (via true two-factor, or otherwise) and start leveraging what they have in place so we can focus on authorization and access control, rather than on authentication alone.

As much as I don't like some of the more common identity providers now (Facebook, Google, etc.), those concerns are driven more by privacy than by security.

Infosec Threat Modeling

2012-12-08T16:03:00.003-05:00

Information Security Threat Modeling is one of those arcane sub-disciplines of which it is easy to find just as many practitioners who are convinced that it should offer real benefits, as it is to find practitioners who believe that "it is never going to work".

The same can be said for academic interest in threat modeling.

Conceptual modeling is a research field that has been around for a long time. As a research conference, the ER conference has been been established in the late 1970's and, 30+ years later, it is still going. The information security research discipline is about as old. Conceivably one of the earliest comprehensive bodies of work is contained in the Orange Book (1983).

So: how is it then that most approaches to threat modeling really haven't changed all that much and that most evidence of successful use of threat modeling techniques only exists in anecdotal form? Who is using threat modeling as a foundational element of their infosec strategy? What is the state of the art in research? Can we find case studies and determine how effective the models have been?

Let's get the conversation started!

So it goes,...

2012-12-07T20:33:00.000-05:00

Google just announced that, effective immediately, they no longer offer free Google Apps domains. Existing customers are unaffected.

I registered my personal domain with Google almost from the day that they were offering it, and as an early adopter of Gmail and Google Apps, I was one of the strongest advocates when the transition to Google Enterprise started in our IT management team.

Now, with this move, I am starting to have doubts. While Google has always said that services would remain to be free, this is the first sign that they are chipping away at that promise. As only one small particle in the Google Universe, I know that I do not have much influence. Still, I'm going to watch where this goes, and I guess it is time to start planning for contingencies.

SANS Security Leadership Essentials (GSLC)

2012-12-06T11:30:00.000-05:00

If we can get enough people together, I'll be teaching SANS Security Leadership Essentials in the Mentor format soon. We are scheduled to start in January 2013, but could bump it back a few weeks if that is easier for the attendees. Once started, we continue for as long as it takes to get through the materials (typically, 2 hours a week at night for 10 weeks).

If you are interested in participating in SANS training, and you happen to be in (or near) Long Island, please take this opportunity and join me.

More information is available at the SANS Mentor website for this course.

Speaking at OWASP Long Island

2012-12-05T19:53:00.003-05:00

I will be speaking at the Long Island chapter of OWASP next week. The topic of my talk will be threat modeling.

Once I have put together the materials for this presentation, I'll dedicate a few blog posts to it.

If there is sufficient interest, I'll try to live-stream the event also. Please ping me if you are interested in attending online.

Raspberry Pi

2012-12-02T09:57:00.006-05:00

I ordered a Raspberry Pi a while ago to tinker around with. I did not have a fully developed plan for what to do with it yet, but a fully functional computer for $35 is something that I couldn't pass up. Now that I have messed around with it for a while, I'm really starting to like the device. Eventually, it will probably make a nice media center of sorts, but 512 Mb of on-board RAM is plenty to run a modern (headless) Linux distro and plenty of useful software has been ported to the platform.

As you know, I regularly run classes in which students participate in a virtual cyber wargame. That game typically involves about a half dozen targets, serving different purposes Some of the limitations that I experienced in the past were constraints on the number of VMs that I can bring up, and the fact that I cannot give my students their own individual machines.

With Raspberry Pi's, that might change; there is really nothing wrong with provisioning one RPi per student. I'll need a cheap network switch to power them all and punch of power supplies and/or a USB port replicator that can provide enough current for the boards. They'll still be behind some form of a bastion host, so I don't have to have a top-of-the-line switch; something cheap(ish) will do just fine.

The guys over at Pwnie Express have put together a nice bundle of security software for the RPi that might just serve my purposes very well.

It is worth exploring!

Happy Thanksgiving

2012-11-21T08:53:00.001-05:00

As the United States is getting ready to celebrate Thanksgiving weekend, many organizations will be either closing completely from Thursday until Sunday, or they will run on skeleton staff performing minimal operations.

Unfortunately, the rest of the world also know this, and invariably, I see an uptick in the more advanced probing and scanning attempts against my networks during exactly that time. If you are responsible for information security in your organization, make sure you have some bare minimal monitoring coverage in place and assign the staff to review at least once a day what's going. Have your escalation processes documented (and tested) before everybody leaves.

Of course, if you happen to be in retail, you're pretty much out of luck, as you'll be heading into one of the busiest days of the year.

Happy Thanksgiving!

Lessons learned from Superstorm Sandy

2012-11-18T20:06:00.003-05:00

Like many of the people living on Long Island, I was affected by Superstorm Sandy. This is true both personally, as well as professionally. In this post, I will focus on personal experiences.

Nobody in my immediate family was injured and my house did not sustain any damage, but a force of nature such as Sandy does illustrate the need for preparedness. Given where I live, I knew that my biggest problem would be the availability of electric power and when everything was over and done with, we had been without electricity for over 10 days. What I had not anticipated was the fact that we would have little or no available fuel for our vehicles for weeks.

Compared to the devastation that so many other people are still going through, our experience was an inconvenience, at most. However, not having electrical power did leave us in a situation where we had no telephone connectivity, no Internet, no television and no radio. In other words, we were in the dark literally and figuratively.

Our landlines are Verizon FiOS, which need power to work. While the FiOS setup comes with a backup battery, it only lasts for a few hours. The cell phone towers were quickly overloaded while they were working, but as the storm did more and more damage, cell phone signal was gone in no-time. Our phones were charged; they just had nothing to talk to.

Cell phone service did return after a few days, but only very spotty and without any data connectivity. Text messaging was really the only way to get news in or out.

No power also means no television, no radio and no Internet. Consequently, it took a few days for us to figure out how badly the area was really affected by the storm. Since we had trees down all around us and potentially live wires all over the road, we were pretty much constrained to our block the first day or two.

Sure, we had radios in the car, but if you don't know how much gas you have left, you're not going to risk running you battery into the ground. You are also not going to run your engine, just because you want to listen to the radio. Suddenly, a seemingly infinite resource like gasoline is preciously scarce.

If you haven't done so already, becoming friendly with the people in your neighborhood really helps too in preparedness. We received countless offers from people who had working fireplaces to use their homes (even when they were out!) to warm up, or from people with generators to recharge our electronic devices there. Apart from that, a neighborhood where people are friendly to each other is a safer neighborhood. Oddities will stand out more and people are more likely to report suspicious behavior.

People are good at functioning without artificial light. It took my family about a day to adjust to the natural rhythm of waking up with sunrise and going to be with sunset. We still had cold and warm running water as well as natural gas, so we were able to use warm water and cook. Since we had no power, we knew that whatever was left in the fridge and freezer would last only a few days. This was a good time for a lot of cooking (starting early, because darkness set in by 5 pm) and to finally get rid of dozens of half-empty bottles of condiments.

The temperature would drop pretty steeply at night, but not to a point where extra blankets and layered clothing would not help. The house was kept somewhat warm by running two of the four gas burners pretty much all day long and by strategically placing pots of boiling water around the house. Paired with being smart about closing and opening curtains and keeping doors closed, we did okay.

Since we were trying to keep the heat in, we had to be a little careful about candles, oil lamps and such. Fortunately, we had carbon monoxide detectors throughout the house and having them gave some peace of mind.

After about 10 days, some of our neighbors started getting their power back and I ran a long extension cable over from them. By removing the leads to house-power from our heating system and by replacing them with a link into the neighbors house, we were able to get power heat back, and after that happened, we were pretty much all set. Dealing without TV, radio and artificial light is possible, as long as you have heat. Knowing that, I was ready for another long weekend without power.

Fortunately, it took another 4 hours after rigging the heat before house power returned. While we lost it again less than 24 hours later due to the snow storm, that outage was only two days and we were ready for that.

In the middle of all this, we had to call 911 at 3am to have somebody transported to the emergency room (all is well, thank you for asking). Calling 911 with no house line, poor cell phone coverage, roads blocked by falling trees and power lines is not fun, by the way. Make sure you can get out onto the street and signal to the first responders where they need to be. They're looking after their own safety too and anything you can do to make their lives easier benefits you too.

One of the reasons that it took fairly long for us to get power back is because we had huge trees crushing power lines at the other end of our block. The normal restoration cycle is that trees must be cleared first by specialized crews. Those crews do not come in until the power company certifies that the wires are not "hot". Once the trees are gone, the tree debris needs to be removed. Then, new electric poles need to be put in place, and only then will the utility come back to restore power. Now, that sounds easy, until you realize that there are a good half-dozen parties involved and since communications are difficult, coordination is too.

Be nice to the tree guys. If you can, give them coffee, donuts, etc. while they are working. They are helping you out, even if it doesn't seem like they are making progress. But remember, they are often from out of state, away from their family, unfamiliar with the area, working long days and sleeping in uncomfortable feds. If you have it, give them a 6-pack of beer as they pack up for the day. I know I would appreciate that if I were in their shoes ;)

So: what lessons did I learn for preparedness?

1. When there is a storm warning, fill up your cars with gas and get a few gas cans with spare fuel. It will most likely take at least three weeks for the fuel distribution logistical system to return after another storm.

2. Make sure you have flash lights in the house. If you choose battery operated ones, have a mix between lights with a focused beam and lights that are lanterns. The new high-intensity LED flashlights actually give off a lot of light and are relatively easy on your batteries. I HIGHLY recommend having a few lights that work based on a hand crank too. A minute of cranking yields about 40 minutes of light. I purchased this camping lantern. It is powered by sunlight or by a hand crank. Previously, I also purchased a little battery operated
camping lantern. The light yield is tremendous and after using it for several hours each day during the power outage, the batteries are still going strong.

3. Have radios. Hand cranks are good, battery operated is acceptable too. Know what stations to tune to. Not bad! I purchased an Eton radio that combines AM/FM, weather band, flashlight and USB charger.

4. You'll need bottled water at hand. We were lucky enough to not lose water, but without it, I don't think we would have been able to stay in the house.

5. A well-stocked pantry containing pasta, beans, canned tomatoes, cereals, etc. pays off big time. After about 4 days, you'll have to get rid of what is in your fridge. Your pantry will last.

6. If you are a coffee junkie like me, make sure you have ground coffee in the house, as well as a filter that you can put on a coffee pot and just poor boiling water on it. We never lost our ability to make coffee (or tea, hot chocolate, etc.) I have this Melita Coffee maker. Don't forget to stock up on filters!

7. Have an electrician put in a transfer switch on your heating system. That way, you can switch over to an external power source, such as a generator, or an extension cord.

8. When it is time to purchase your next car, consider springing for the power converter option. Our car has a 115V output that can provide at most 100W of power (about 1 Ampere).

9. Have a flashlight that can blink or can have a different colors. It will do wonders to attract attention when in need.

10. Even though roads were hard to travel, UPS and USPS continued to deliver. If your local community has charging stations set up and maybe even offers some Internet connectivity, online orders with overnight shipping can be very useful!

11. Have an inventory of your battery-operated devices, know what batteries they take and have a supply at hand for emergency purposes. Don't rely on rechargeable batteries; they don't hold their charge well and they don't last as long as their non-reusable counterparts. Besides that, since you'll need batteries, you probably cannot recharge them anyway.

12. If you are a HAM radio operator, like I am, have at least one radio that can be operated from battery or mobile. Know where your local emergency communications net is, and make sure that the people operating that net are at least somewhat familiar with your callsign.

13. Have carbon monoxide detectors and check that they work. We heard more than a few stories of people who got overcome by carbon monoxide poisoning caused by burning candles or by improperly operating fire places.

14. If you have a fire place in your house, have the chimney cleaned once a year. We did not take the chance to run ours because I was not sure when the last time it was cleaned was and I wasn't about to set the house on fire. If your chimney is clean, have wood to burn. Don't use pine as that is too oily and may create deadly fumes.

15. If you have little children, make sure that you have them clean up the floor before going to bed. If you need to leave the house in the dark, you don't want to be tripping over toys.

Bootable Linux USB drive for teaching

2012-11-18T11:34:00.005-05:00

I will be teaching my introduction to computer security course again next semester and one of the things that I like to do is give students hands-on experience with offensive techniques. Since our IP range is off by one digit from a relatively large number of .navy.mil sites, I would like to make sure that they are contained in a non-breakable jail.

Until now, I had set the lab up to have students SSH in to a step stone server. From there, they connected out to a BackTrack platform that did not have a default gateway set. Even if students would attempt to break out of the lab network, the step stone platform had firewall rules set up not to allow outbound traffic.

As a result, it consisted of a fairly robust environment.

However, there were a few disadvantages.

Due to capacity limitations, the entire class shared one instance of BackTrack. All students have root access to that box, and it usually doesn't take long before they find out that the shell history and artifacts downloaded by fellow students are interesting. As a result of my architectural choices, it is also kind-of tricky to remove artifacts from the lab environment.

So, this year, I'm going to try it a bit differently.

Instead of using an SSH bastion host, I'm going to give all students a bootable USB drive with an openvpn client installled. The client will connect to the bastion host and will not allow split tunneling. As a result, while booted from the USB drive, students will ONLY be able to access the security lab. In the lab, I'll provide a file server (Samba or NFS, most likely) on which I load the tools that might be useful to them. That way, the tools are not accessible to anyone, but those who are VPN'ed in.

File transfer to retrieve artifacts can be easily achieved by inserting a second USB drive into the PC from which they are booting.

Teaching again

2012-10-18T17:10:00.000-04:00

I have started preparing my introductory computer security course for next semester. The course is geared towards junior and senior undergraduate computer science and information systems students. As much as possible, I like to bring in writing assignments (human language, not computer code), and hands-on assignments.

This year, I feel that it is time to shake stuff up a bit and change a bunch of topics around. So, I've decided to ask for some community feedback. There are 15 weeks in a semester. Each week, I have 2.5 hours of instructional time, and assignments can go in addition to that. My expectation is that all student spend 4-5 hrs per week on the material.

Here are some of the topics that I want to include. Note that this is just a simple bullet list. What do you think? Should I add/remove topics? How would you order them in time? What kind of assignments and what kind of reading materials would you recommend?

Topics to be covered

Introduction to describe what we are protecting, who is attacking and how we are being attacked
1. Defender methodology (defense in depth, cia, pirl, business continuity)
2. Attacker methodology
3. Risk and stuff
Ethics and law
1. Ethics
2. Codes of Ethics
3. Relevant Law (Federal and State)
4. Relevant Law Enforcement Agencies
5. Investigations
6. Evidence
Authentication
1. Identification plus verification
2. Multi factor authentication (aka: why passwords suck)
3. Password attacks
4. Social engineering
5. Stupidity (default passwords, silly reset mechanisms, etc)
Access control
1. Some boring theory about models (DAC, MAC, RBAC)
2. Examples of access control bypass
Cryptography
1. Confidentiality
2. Authenticity
3. Non-repudiation
4. Hashing
5. PKI vs web of trust
6. Block ciphers vs. stream ciphers
7. Symmetric vs. Asymmetric crypto
8. SSL
9. SSH (hands-on) including hardening
10. WEP/WPA
Open source intelligence gathering
1. Domain and IP registration process
2. Whois
3. DNS
4. Web sites
5. Job advertisements
Networking
1. TCP/IP
2. Layer 2 stuff
3. Equipment (Firewall, Router, Switch, Hub)
4. Nmap
5. Tcpdump
6. Vulnerability scanning
Common causes of exploitation
1. Bad software
2. Bad configuration
3. Bad people
Web application attacks
1. SQL injection
2. XSS
3. CSRF
4. OWASP top-20
Endpoint attacks
1. OS exploitation
2. Application exploitation
3. Vulnerability management
4. Metasploit Framework
5. Antivirus
Mobile stuff
1. OWASP mobile project
Enterprise security
1. IDS / IPS
2. Log management and SIEM
3. DLP (on-premise and in-cloud)
4. NAC
5. Vulnerability management / patch management

Removed from the course

- forensics

- building buffer overflows

The delicate dance between vendors and clients

2012-08-20T17:41:00.000-04:00

Source: stock.xchng

More and more I get the feeling of not being taken seriously by my vendors. It appears that it is time for a few reality checks.

Vendors: Not a single one of you provides such a unique and special product that there are no alternatives.

Between reduced customer services, botched contract renewals, insane price increases and now the next one, trying to strong-arm me into re-negotiation my contract well before it expires in an attempt to lock me in for another 3 years.

Is it really that hard to understand that the relationship between a client and a vendor is based primarily on trust?

Sure, you offer a good product, and of course the price that I negotiated with you is making you take a loss on the deal, but do you really not realize that when you damage the trust that I have in you, I have pretty much no other avenue that not continuing our relationship?

In the last month, this happened to me twice. Two vendors have been told that I will not be renewing my contract; both of them acted as if they were surprised. Initially, I started to believe that my expectations are too high, until I realized that they work for me, and I do not work for them. No vendor can tell me what is best for my organization, or where I need to focus my resources. That value-decision is mine to make, and I will make it.

Sure, "forklifting" an existing solution out to replace it with another one can be expensive, but it does not have to be with proper leadership. It is time to realize that clients make decisions primarily based on value that they perceive, and a real prerequisite for me to perceive value is that I need to trust you.

And no, trust is not obtained by buying me drinks at Defcon or by serving me fantastic steak dinners at BlackHat. Trust is obtained by showing me respect, by being predictable, and not by blindsiding me with stupid requests and unwarranted changes for which I have not asked.

A few important lessons to take away from this:

Architecture trumps technology each and every time. Never build a situation where you end up with a technology lock-in.
Be open and receptive to your vendors, but do not let them give you the run-around
Always have a plan B in place for every technology that you use
Do not be afraid to use plan B
If you have the luxury of being able to do so, focus on VALUE rather than on COST