Kees Leune

Business Continuity Planning

2009-06-18T16:33:00Z

Everyone with some form of security training should be aware of the fact that information security is commonly defined in terms of Integrity, Confidentiality and Availability. Integrity & Confidentiality is what most security pro's think of when they are securing an infrastructure. We deploy layers of defense, harden applications, encrypt data, develop (implement and monitor) policies and what not.

The availability part is often only addressed in a business continuity / disaster recovery plan. In such a plan, we worry about how a server's outage influences our ability to deliver value to the business and we make educated decisions on the amount of redundancy we need to implement to prevent interruptions or service degradations.

Today's weather is a perfect trigger to go review your business continuity plan. Areas of the USA have been hit by tornado's, the Mid-West is littered with severe weather alerts and other areas are threatened by tropical storms. It has not stopped raining here on the East Coast and it is coming down in buckets.

Are you ready to deal with leaks in the building that houses your primary data processing facilities? Do you have equipment in basements that might be affected by flooding? Have you made your backups (and checked that you can restore them) and stored them in a waterproof location off-site? How quickly can you relocate your critical systems? Do you even know what the critical systems (other than Facebook and Twitter) to your organization are? Is your key personnel aware of the fact that you have a business continuity plan? Are they familiar with it? Do you have an up-to-date call-list? Do you have (several) hardcopies of your plans?

You should have worried about this a long time ago, but if you haven't, now would be a good time to start.

Scratching an itch

2009-06-12T13:00:00Z

Every now and then, I need to scratch a technical itch. Fortunately, Chris Christianson had the good taste to post Ceasar's Challenge just as it manifested itself.

The challenge was the following:

4500 00c8 21c4 4000 8006 dee4 c0a8 3c01
c0a8 3c35 0014 0841 ea5d efe1 32e0 3fa1
5018 ffff 2c6d 0000 1f8b 0808 d92d 074a
0203 6669 6c65 005d 8ecb 9104 210c 43ef
1385 4210 fe01 e1b8 7ae8 fc43 1871 d8cb
faa0 924b cf82 4812 6419 3aaa e5b4 2e8e
81fd ec8d 87bd e00f c79f f344 767d 41a3
098e 034f f31b 0c39 3f88 9e89 3a46 18dd
af28 706f f8f0 82f7 5db7 d2d0 fc17 634c
54d6 914c 43ed 72c4 532f 6a72 c329 4925
48cb db9c 8564 2cc4 1baf b81c 7a5c cde9
b7af f4b5 5882 c5f9 45c4 852e 62b1 3f3f
c173 e305 f500 0000

After looking at this for a while, it became obvious that this is a IPv4 packet. The first few bytes (4500) are a dead giveaway. Using the SANS TCP/IP cheat sheet, I was able to confirm that this was indeed an IPv4 packet.

First order of business: get this in a workable format. I started with dumping this in a file (challenge.1) and converting it to binary:

xxd -r -p challenge.1 challenge.2

Opening challenge.2 in a hex editor gave me a little more insight into what I was doing. I used hexedit on Linux and notepad++ on Windows.

The payload of the TCP packet started after 20 bytes (5*32/8), or at offset 0x14. Repeating the process of copying the payload into challenge.3 and making it binary using xxd, I got a resulting file challenge.4. The Linux command-line file challenge.4 told me that it was gzip'ed data.

Copying challenge.4 to challenge.5.gz and gunzipping the file yielded challenge.5, which after viewing it in a hex editor turned out to be another IP packet. This time the packet contained a UDP payload going from source port 23149 to destination port 514 on the same two hosts. The payload of the UDP packet looked like syslog, and that is confirmed by the port numbers:

<15>Jun  3 13:16:19 DDDDDDDD GenericLog    0    VWRS VPHOOLQJ SDFNHW SOHDVH

Remember the title of the challenge? Exactly, a Ceasarian shift. Fortunately, it took not too long to figure out that the offset was '3', which resulted in the answer: STOP SMELLING PACKET PLEASE.

New papers in the SANS reading room

2009-06-11T17:25:44Z

I have recently expanded my involvement with SANS by signing up as a Gold adviser. In addition to guiding students through writing their papers, advisers also review work that has been graded by the primary adviser. This endorsement creates an independent quality control review and makes it harder for sub-par papers to go through.

Some of the papers that I have reviewed recently are worth mentioning:

Robert Vandenbrink authored IOScat - a Port of Netcat's TCP functions to Cisco IOS. In the paper, he describes how to implement netcat-like functionality in Cisco IOS using the Tcl language. Any security pro should know about netcat and be familiar with how to use it, so a paper describing how to bring some of its functionality to IOS is a must read.

As an aside: In a long and dark past, I also used to dabble with that language, and as a matter of fact, it is still the most popular download on this site. The tool I made is used by flightsim fananatics and is called PCProxy

Chris Mohan wrote Virtual Rapid Response Systems. The paper proposes to use virtual machines in incident response scenarios where there is no qualified handler on-site. While the approach may not scale up to large corporate environments without some tweaking, some of the ideas that were proposed are interested and can apply directly to users working for small and medium-sized enterprises.

As always with incident response, make sure that you keep records of what you do. Taking excellent notes is an absolute requirement, as is keeping track of the big pictures. I still develop a tool that assists with the latter: The application for incident response teams (AIRT) supports CSIRTS with the administrative overhead of incident response. The tool is currently in use by several national CSIRTs and institutes for higher education. If you are looking for an incident management product, please drop me a line and we'll talk.

Enterprise Cloud Risk and Security

2009-06-10T13:28:54Z

Thanks to Hoff's tweet earlier today, I watched a presentation titled Enterprise Cloud Risk and Security.Not only is the presentation an excellent use of a slide deck (no narration necessary), but some of the observations that are outlined in it are representative of the thought processes of someone who gets it.

"Fundamentally, engineering is about knowing and respecting the limitations of one's materials. ICT systems are built with software being one of the key materials. And software is thoughstuff. For an engineer of thoughtstuff, the limitations of mathematics and cognitive science are the limitations of the material"

Masterson goes on by arguing that "We need to stop thinking in terms of security and start thinking in terms of health". This argument is based on the premise that any time a fairly simple and controlled solution is scaled up, complexity is introduced that invalidates many of the controls meant to keep it secure.

A little later, Masterson introduces another interesting concept: Redundant Arrays of Independent Clouds (RAIC). Brilliant ;) The simple (and compelling) reason for RAIC is a bit of knowledge derived from biology and in particular, ecosystems: diversity = health.

Issues covering legacy security technologies such as firewalls are also briefly touched upon:

"Concept like 'firewall' embody Russellian assumptions, and are only useful in the small. Instead, consider concepts like quarantine, sterilization chambers, and disinfection, for example."

This is not to say that firewalls cannot be useful, but as we see more and more distribution in our computing infrastructure and our data being spread globally, local perimeters will continue to be necessary, but no longer sufficient.

All and all a very interesting presentation in a novel format, bringing some good things to think about. Go watch it.

BlackHat 2009

2009-06-08T23:08:42Z

Blackhat just posted the schedule for its 2009 briefings, and as always, the schedule looks impressive. I'm happy to announce that I will be covering the Briefings as a member of the media. Every day, I'll try to get a post out detailing my experiences. Since I haven't decided on the format yet, any feedback is appreciated! This will be my first time at BlackHat, and I am really looking forward to it. Immediately following BlackHat, I'll also hang around at DefCon for two days. I had a blast last year, and I fully expect this year to top that. If you're going to be in Vegas, please drop me a note and we'll try to hook up!

Unlocking the cloud

2009-06-08T00:23:34Z

But now there is the danger of a new form of lock-in. "Cloud-computing"-the delivery of computer services from vast warehouses of shared machines-enables companies and individuals to cut costs by handing over the running of their [enterprise applications] to someone else, and then accessing it over the internet. [..] But customers risk losing control once again, in particular over their data.
The Economist, May 30th-June 5th, p. 18

Others have said it in the past, and more people will say it in the future: The Economist is one of the best newspapers in the world and well worth its price. The publication pleasantly surprises me on many occasions, and this issue is no exception.

While the article is not very long, or even prominently positioned, it does contain a few very important observations: be careful not to lose control when moving existing data into the Cloud, and address the risk of not being able to move data out of the Cloud once it is in there.

High quality information and incident response

2009-06-03T19:38:15Z

In order to effectively detect and respond to computer security incidents, an incident manager needs information. That information must have sufficient detail and enough coverage. This is why I get a little miffed, when I see a work ticket get closed out with only the following information:

"Lots of these machines were infected with virus. I killed them all."

There is (almost) no useful information in this update.

How did you notice there were viruses on the machine? What tool detected them? How many machines were infected? Which machines were infected? What were those machines used for? Who had access to them? Was it the same virus on all machines, or were there different ones? Which viruses did you find? Was there antivirus installed? Was the antivirus running? Were the antivirus definitions up to date? Was the machine's operating system patched? Which users were logged on locally? What drive mappings did the user have open? How did you kill the viruses? Did you see the virus(es) somewhere else?

Right now, I have no information and as a result I have to declare an information security incident. I get to find an answer to all these questions, probably resulting in a finding that one user does stupid stuff on multiple workstations, or that the office is doing bad stuff as a whole. Either way, I anticipate some very targeted awareness training in my near future.

Oh yes, due to this particular environment, users have local administrator access and are free to mess up there own machines as much as they want.

CNET's Cybersecurity Quiz

2009-06-01T13:53:32Z

On Friday, I posted my response to President Obama's Cyberspace Policy Review. Today CNET put up A cybersecurity quiz: Can you tell Obama from Bush? The article goes back in time to 2003 when President George W. Bush also made an attempted to formulate a national strategy to secure cyberspace.

The similarities between the two documents are striking. The real question to ask is: how much progress have we made in the previous 6 years that these same issues still pop up. I'm afraid the answer is: not much. Let's hope the next 6 show some more.

The Cyberspace Policy Review

2009-05-29T19:00:12Z

President Obama presented the Cyberspace Policy Review today. The document reports on a changing direction of US cyber security policy under the new Administration. It is less about governance and more about "getting stuff done". The new policy has the potential to bring upon security practitioners interesting times of attention for our trade, acknowledgment of the necessity of our skills and maybe even the odd job opportunity here and there.

Much will depend on the person who will be chosen to fulfill the role of national cybersecurity coordinator and his ability to obtain true buy-in and commitment of the different government organizations.

Quotes like the following are encouraging to read:

"The architecture of the Nation's digital infrastructure, based largely upon the Internet, is not secure or resilient.

[...]

Research on new approaches to achieving security and resiliency in information and communication infrastructure is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.
[...]
International norms are critical to establishing a secure and thriving digital infrastructure.
[...]
Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full benefits of the digital age"

The plan acknowledges that our networks are not secure, and that this inherent level of insecurity must be addressed by increasing efforts (read: spending) to conduct true fundamental research that is not limited to national boundaries. This is a vision that I can support and which makes me look to the future with a sense of anticipation.

Puffing in a Cloud of appearance

2009-05-28T13:29:04Z

I am heading over to Jersey City tonight to attend an meeting on Cloud Security, organized by IOActive. Despite Hoff's best efforts, cloud security confuses me. I understand information security and I understand "The Cloud" as well as most other people do (which isn't saying all that much), but I fail to see how combining the two suddenly make a completely new field that is worthy of all the buzz it gets.

We have been dealing with outsourced business functions for a long time and most organizations are used to doing it; some have even gotten quite good at it.

Reading the Cloud Security Alliance's document titled Security Guidance for Critical Areas of Focus in Cloud Computing. If you have not read that document yet, go do it now. If anything, the architectural framework defined in it is very worth while and I hope it will bring the Cloud playing field to adopt similar terminology when talking about identical things.

Keeping in mind Hoff's distinction between the three architectural layers (Infrastructure as a Service, Platform as a Service, and Software as a Service) clearly helps in shaping our perception of risks associated with outsourcing a business function, and it will support defining our responsibilities as an outsourcing organization.

The document provides guidance on how to direct existing efforts to facilitate Cloudification. There isn't all that much in there that is truly new.

The fact that we are struggeling with this shows once more that our field is young and emerging, and that we haven't really even reached adolesence. It is a fun time, but as with all new things, stepping back every now and then to reflect what's going on should also be a priority.

Using service providers for information assurance

2009-05-19T17:54:50Z

As information security officer, my role is to ensure that my organization's information resources are not exposed to unwanted risks. One tool that is commonly used is to commission an external (independent) entity to assess how well resources are protected from a technology point of view.

Unfortunately, all too often, an external assessment, or even a penetration test, will yield results that were mostly predictable. While having an independent entity confirm issues may bring a higher sense of urgency and grants the claim more credibility, it is still unsatisfactory to be spending a lot of money on a test of which you were able to anticipate the results. Of course, independent auditors tend to have easier access to people higher in an organization, and using an auditor to further your own goals is an acceptable tactic to get things done.

One disadvantage of having external groups conduct vulnerability assessments or penetration tests is that they will only provide you with a snapshot in time. The many issues revolving around PCI-compliance have clearly demonstrated that compliance on a certain day does not lead to continued compliance.

Lately, I have started to look around to see what service providers are out there that offer a "solution" (as much as I despise the word) that provides full-time (or on-demand) assessments against a fixed and predictable rate.

Whether that assessment is done through manual scanning, automatic scanning, or by installing agents on end-points is really not so much of a concern to me. If I can obtain a (near) real-time overview of certain aspects in my infrastructure, provided by a credible and knowledgeable outside provider, why not research that further?

More than likely, I will be able to lower security costs by reducing the scope of annual vulnerability assessments (or pentests), drop the frequency at which those engagements take place, and concentrate on improving processes and procedures, rather than bring in more technology that brings with it more security concerns.

At the moment, I am evaluating several offerings, and depending on how much vendors are willing (and able) to work on price, I may be very interested.

Perseverance, attitude, and solidarity

2009-05-13T12:33:53Z

Ron W posted a comment to one of Andy's blog posts that gets to the reality of being an information security officer so well that it deserves its own post. Here it is:

Often, we in Security need to deal with
C - Criticism
R - Rejection
A - A$$h0l3s
P - Pressure

The keys are perseverance, attitude, and the realization that you're not alone.

Criticism is the corner stone of progress, as long as it is delivered in a constructive fashion. I am a firm believer in peer-review and stakeholder-buy-in.

Rejection is something that happens everywhere, but it is also not always a bad thing. Our role as information security officers is to point out risks to business owners and leave the final decision up to them. If they disagree with our recommendations, we can start looking to reduce the risk somewhere else in our organization and mitigate the exposure some other way.

A$$h0l3s are everywhere

Pressure is a good tool, but it must be used very, very cautiously. Once pressure is applied, it is very hard to let go without losing control.

Realizing you're not alone is paramount. Information security is an extremely young discipline, and as a result, we must always be reaching out to our peers to learn from them. Visit conferences, local chapter meetings, training, etc. Although it may momentarily distract you from your "real work", it will pay off down the road when you can just pick up a phone and call a colleague to ask for advice.

Family addition

2009-04-22T14:04:30Z

As a result of the recent addition to our family (baby boy born on 4/17), my blogging will be limited the next week or two. When I get back into swing, I'll resume writing about security things I read and hear.

Why we sometimes think cheating is OK

2009-04-10T18:58:47Z

TED is an awesome.

I enjoy watching TED talks for a number of reasons. First: the topics are almost invariably extremely interesting and the observations of the speakers are inspiring. Second: I believe that the more good presentations you view, the better your own presentations will become. Third: most presentations have some form of entertainment value.

Today I watched Dan Ariely's video on Why we think it's OK to cheat and steal (sometimes).

In the video, Ariely tries to answer the question if the probability of getting caught doing something wrong is related to the likelihood of cheating taking place. In other words: are people less likely to break the rules if their are more afraid of getting caught? The conclusion was something that should resonate very hard with information security professionals, and came a little bit as a surprise. The fear of getting caught does not apppear to have a very big impact on the probability of misuse taking place.

The conclusion was that when a lot of people can cheat, they will cheat by a little bit. When we remind people about the morality, they cheat less. When we create more distance between the person cheating, and the object of cheating, people cheat more.

When someone from the in-group cheats, we feel, as a group, that it is more appropriate to cheat and cheating will go up. If, however, someone from the out-group cheats, we feel a stronger sense of morality and our own level of cheating will go down.

What do we learn from this?

For those of us who are responsible for awareness programs and compliance, our best approach is to attempt to reduce the distance between information security and people's day-to-day operations. We have to make sure that everyone in an organization realizes that information security procedures exist to make their life easier and their workload lighter, instead of trying to stop them from getting their work done.

We must also make sure that we manage the organization's culture. As soon as the feeling creeps in that it is OK to circumvent some controls or break some policies, everyone will do it and cheating will increase. The tone must be set at the top-- if there is a policy against carrying company data on USB sticks, PDA's or smart phones, (executive) management will have to demonstrate clearly that they follow that policy too.

We have to constantly reach out to the organization to remind everyone in it that following information security practices is not about policies and procedures, but much more about ethics and morality.

Finally, since observable cheating by a member of the out-group leads to a lower level of cheating in the in-group, we must leverage that. In other words, creating an 'us versus them'-culture may have beneficial effects on the level of compliance with policies.

Brief introduction to challenges in Cloud Security

2009-04-03T13:00:16Z

For a lightning round at yesterday's New York Higher Education Technology Forum, I was asked to deliver a 10 minute introduction to "Some Information Security Challenges in Cloud Computing".

As I usually do when I present, I first write down the stuff I want to say, and then I create a presentation based on that text. The draft text is included in the body of this post, the presentation (slides + text) can be downloaded here.

Text: This presentation was heavily influenced by Christopher Hoff's SOURCE Boston presentation on Cloud Security and on Dan Geer podcast comments in which he said that "Somewhere in the past decade, it became far cheaper to keep data than to delete it selectively."

A direct consequence of keeping more and more data is that it becomes nearly impossibly to categorize and classify it. As a result, we must rely on search to find that one bit of information that we are looking for.

In itself, search can be a good thing. Business models like Google's have shown that effective search engines are perceived to be highly useful and search itself has taken the place of browsing in many places. Think for example of Gmail- while labels are supported, the preferred method of finding and retrieving email conversations is by using the search function.

If a lack of selective deletion of data leads to the (partial) disappearance of information classification, and if rather than through classification and browsing, we rely on search to find what we are looking for, a skilled opponent has an advantage that he can leverage through a disinformation strategy.

In other words, if we only see the things that we look for, a skilled opponent can either influence those search results to make us see what he wants us to see, or he can hide his tracks and we will never know about his presence in the first place. Information can literally become invisible.

There is another problem: most information security professionals use information classification to identify the assets that need to be protected the most. With classification becoming less effective, the same may be true for our risk posture.

The trend that our important information becomes less visible may only be amplified when we think of cloud computing.

Data is often moved off-site, and in some cases to servers that we do not control, or even have full access to.

As information security professionals, we must be aware of this trend and we must refocus on the processes that manipulate the data and on the people who participate in those processes.

When moving things "into the cloud", we must never forget that in the end, the security and privacy of information is still our responsibility, despite the fact that we may not be able to fully control it.

Many of our current technologies will be less effective; firewalls, intrusion detection/prevention systems, SIMs, vulnerability scanners, etc. will have to adapt to this new reality of the ultimate distributed information system.

The Cloud is really our next horizon.

The elimination of physical assets on-site is often quoted as one of the driving forces behind the adoption of cloud computing.

Since resources will be "out in the cloud", we will not have physical access to much of the cloud infrastructure.

As a consequence, because the security of information remains our responsibility, we will also have to rethink the way in which we manage the technical response to breaches of security.

Because of the lack of direct access to our IT equipment, organizations will not be able to conduct initial incident response scenarios that rely powering down compromised servers, taking forensics images, or rebuilding servers, without the assistance of a cloud provider. Building a good relationship with cloud providers and establishing short lines of communication will become an important success factor in dealing with consequences of using the Cloud.

Many cloud-providers do no allow pre-emptive vulnerability scanning of cloud-hosted resources. Amazon's elastic cloud is such an example; its terms of service explicitly prohibit vulnerability scanning. Violating the terms of use may lead to the removal of a virtual machine, which in a cloud-world would be the equivalent to a power outage in the data center.

We must re-think preventing, detecting and containing security incidents.

As information security professionals, our job is to never say "No".

We must enable the primary processes of our organization in a way that the private information, unpublished research results, educational materials, and administrative data are protected against unauthorized manipulation or disclosure, and that they are available whenever needed.

Especially in a higher education setting, we must be careful not to impose unnecessary constraints on our users. Our primary mission is Teaching and Research, and we must take care not to stifle Innovation and Academic Freedom. While these are sometimes thought of as directly opposed to what we as information security professionals do, we have to continuously realize that we are here.

Cloud computing will present new challenges, we know that it will become harder to directly observe data over our systems and networks, which makes it harder identify and classify information, and as a result to control as tightly as we were able to do when we had central information repositories. Yet, at the same time, most Universities are ideally situated to adopt a cloud model. Most of us are used to deal with highly decentralized organizations, scattered information sources, and conflicting requirements and data exfiltration points. In that sense, the cloud does not present us with anything new. We should be leading the way.

Having said all this, not acknowledging that Cloud Computing brings with it its own challenges---technical as well as from a governance perspective---would be a mistake. In order to ensure that the Cloud does not turn into a vicious thunderstorm, we need to start preparing now.

I look forward to talking to anyone who is interested in this topic, or any information security topic, later today.