Anyway, as the Devil attempted to push God off the island, the island magically expanded in each direction (it's clear from this story that the Devil wasn't omniscient), so that nary a toe got dampened. The shoreline simply grew in each direction and, by the time the Devil gave up, the island had expanded to the size of our current Earth. Which basically means that the state of the Earth today is due entirely to Devil-induced scope creep.

It explains a lot, doesn't it?

Scope creep is a danger in all projects. It doesn't matter whether you're developing an application, enacting a security program or just shopping for groceries, scope creep can blow both your budget and deadline. It's tempting when you're working on something to just add a little piece here and there because it will make future work easier. Unfortunately for the business, integer math insists on summation, and so long as businesses are profit-focused, integer math is going to be important. From a security perspective, scope creep is additionally dangerous because it complicates things. Complicated things are harder to secure than simple things. The simpler you can keep a project, the better you can understand it, so the easier it is to secure.

Scope creep, of course, is most dangerous when shopping. A while back, I stopped by the store to pick up some basics (apples, bananas, yogurt, etc), and I noticed that winter squash was on sale... so my scope expanded a little bit and two squash wound up in my cart. Later, once I got home I realized that I had no idea what to do with them (other than the basic roast squash, which is boring). After consulting one of my cook books, I discovered that I needed a few more things. After another shopping trip that involved carrots, celery, onions, garlic and broth, I soon had two soups a simmering. Regrettably, the last step for each soup involved a blender, and the blender I had was incapable of dealing with the increased complexity of my soups. It quickly suffered what I must refer to as a catastrophic containment failure which necessitated another trip to the store to get a new blender.

All told, my initial scope creep of two impulse-bought squash cost me over a hundred dollars in ingredients and blender replacement, not to mention the ridiculous amount of time wasted in the endeavor. While I am thankful that I was able to find the blender-related security hole and believe that I have effectively mitigated the risk, life would have been much simpler had I not needed to.

I'm blaming the devil.

Related posts

• No related posts.

As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other "doesn't get it". For a quick read, check out Richard Bejtlich's post and MANDIANT's post and, for a counterpoint, check out Gunnar Peterson's.

Of course, they're both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere... mostly, I suspect, because in the enterprise security space you only call the consultants when it's something particularly troublesome (like APT). Of course, once you've focused on APT, that's what you get called in on, so the problem probably looks bigger than it is.

In contrast, those of use that don't consult in those spaces don't get those calls, so we don't see it. We also probably don't have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.

So what do you do about APT?

I suggest that you consider the following checklist:

1. Do you have a firewall?
2. Does your firewall block outgoing connections?
3. Do you have local antimalware running on all your endpoints?
4. Do you have a web filtering solution in place?
5. Is all access to all systems monitored and audited regularly?
6. Do you have a process in place to pull all legacy systems off your network?
7. Do you have a patch management system in place?
8. Do you have a vulnerability management process in place?
9. Do you matc all system configurations against hardened templates?
10. Do you have a data classification policy that applies to all your data?
11. Are you encrypting your important data?
12. Do you have a log retention and management infrastructure built?
13. Are you running an IDS/IPS system?
14. Do you have third party management systems in place?
15. Are all of your web applications running in hardened stacks?
16. Are you using web application firewalls?
17. Are you using database firewalls?
18. Do you have regular employee awareness training?
19. Are complete penetration tests conducted against your organization?
20. Do you have an Internet data monitoring and scrubbing policy in place?

If the answer to each question is "yes", then you should worry about APT. This is not to say that if any of these are "no", you don't have APT going on in your environment. I'm saying that there's no point pursuing a full on anti-APT strategy until you have the basics in place... and there are a lot of basics. I'm also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.

If you don't have a minimal and sufficient security solution in place, it's not that APT isn't a threat or that an unknown enemy isn't out to get you... it's that you probably have more important things to be working on.

Related posts

• No related posts.

Take, for example, the concept of risk. In the security field, risk is bad and the steps that can be taken to avoid risk seem reasonable. However, in the business field, risk is viewed in terms of the potential gains that the risk can provide whereas the steps to avoid risk seem likely to cause problems and will therefore impact the bottom line. Similarly, admins and developers are likely to resist the perceived difficulties in implementing the mitigation strategies.

Again, there are both offensive and defensive capabilities to this bias. Offensively, simply knowing a target's profession can give you a good chance at predicting their responses. If you have a planned proposal, you can practice it against others in the same profession and tweak it before you present it to the people that matter. You can be aware of the context in which they will likely view your ideas and work on expanding their context before you get to the hard stuff.

Defensively, like most biases, you just have to be aware that you will likely view things within the context of your profession. Thus, if you are having conversations with those outside of your profession, there is a higher likelihood of misunderstanding. If you find yourself reacting negatively to something someone else says, you should check and see if maybe that reaction is because you are coming at things from different contexts.

As an note to this particular bias, I have occasionally been asked why I blog the way I do. Other than the fact that the Internet doesn't need yet another voice in the Security echo chamber, I find that forcing myself to consider issues from different contexts (mythological, natural, psychological, etc) allows me to understand the issues at a deeper level. I don't know if it gives me any advantage over the usual advantages that one gains by taking time to think things through and write them up... but it doesn't seem to be hurting.

Related posts

• Bias Thursday – Pseudocertainty Effect (0)

For example, I have my normal browsing profile which includes a bare minimum number of add ons Adblock Plus, LongURL Mobile Expander, Web of Trust, BetterPrivacy, Cookie Safe and NoScript. Then, if I am conducting offensive security work, I use a profile that is loaded with some attack tools like SQL Inject Me and XSS Me. Similarly, when I'm doing web development or troubleshooting, I have a separate profile that loads Web Developer and Live HTTP Headers. This approach keeps my normal use fairly light and allows me to load the extensions that I need when I need them.

In theory, it also keeps my passwords and cookies a bit safer than usual.  It's not as secure as using a completely separate user account or even computer for doing dangerous activities, but it's better than not doing anything at all.

To do build your own profiles, go here and launch the Profile Manager. Then, when you start Firefox, you will get dialog asking you which profile you wish to run. From there, it's just a matter of picking which mode you wish to work in and selecting the appropriate profile before you start.

Related posts

• No related posts.

• The groundhog is also known as a whistle-pig, due to its tendency to make a whistling noise when predators are near.  Much as monitoring systems will send SMS or email messages when an attack occurs.
• Groundhogs have two layers of fur, both a soft undercoat and a guard hairs.  This is a classic defense in depth strategy, against both cold and damp threats.
• Groundhogs mostly eat plants won't pass up the occasional delicious grub or bug.  This allows them to supplement their dietary needs without having to track down the rare vegetative high-protein source like nuts or beans, which are needed in small quantities at various points in their lives.  This is much like an organization hiring a 1099 resource as needed.
• They are one of the few creatures that truly hibernate and are generally utterly non-responsive for four to five months... which has no direct correlation to business, but there are days when I wish it did.
• They have a wide range of predators, including owls, dogs, bears, bobcats and coyotes.  Younger ones are vulnerable to snakes and hawks.  Much as a security program is constantly evolving and loses vulnerability to some threats but not others, the successful groundhogs grow large enough to be immune to the snakes and hawks.
• When predators strike, groundhogs will escape them by running to emergency burrows (hot site) or up a tree (cold site).
• Groundhogs are mostly solitary but also live in small communal burrows.  This allows them to share the alerting responsibilities and leverage one another's expertise... in much the same way that small teams can work most effectively in a small conference room where they can collaborate.
• The groundhog is in the Sciuridae family along with the squirrels (and a fragment of their genetic code can be found here (as part of the SequenceJuxtaposer project (which has nothing to do with security, but is still pretty neat))).

Image in the Creative Commons and is courtesy of ~Sage~ on Flickr.

Related posts

• No related posts.

Anyway, to create the people, the gods need the magical bones where were guarded by the Lord of Death. After a fairly typical quest followed by a challenge and the reneging by the Lord of Death on the deal, the hero carrying the bag of bones fell to the bottom of a pit and the bones were broken. That, of course, is why the people come in a variety of shapes and sizes.

Of course, we are quite lucky that the Aztec hero was such a klutz. The numerous variations in humanity have rendered us resistant to various plagues. (Technically, this is only partly true as there is evidence that humans are more genetically identical than most animals (except for cheetahs), but we're ignoring that here.) The more variation there is in a genome, the greater the resistance to threats. Though similar concern has been raised about the ongoing homogenization of our food supply and how it renders us vulnerable to threats. this blog is about I.T. and business security.

For quite some time, I have been arguing against homogenization within certain businesses. The current practice of having all systems identical makes things very easy to manage. It makes it easy for auditors to verify that proper security standards are in place. It also can tie into automatic patching plans and keep everything up to date. However, it means that every person in the organization has adapt themselves to the same software and that if an attacker manages to get into one system, they can march right into every other one.

Like all things, using system images is a tradeoff. It seems that many organizations implement imaging just because it's best practice. Sure it solves some problems, but any change also creates others. Often, an imaging project identifies numerous applications to drop out of the environment. This is great for general security, as it reduces attack surface, but often many of these are there because they make the business more effective.

Given that the whole point of "the computer revolution" was that we are now able to adapt technology to our lives are very small levels. It seems like questionable logic to take devices that are capable of enhancing individual abilities and compensating for individual flaws and turn them all into identical machines and then force people to match them. Richard Bejtlich gets into this in more depth over in his post Let a Hundred Flowers Blossom.

My point isn't that imaging is bad. In some environments, it's a necessity. (Mostly regulated environments or those lacking a technically-skilled workforce who can select the appropriate applications to enhance their productivity.) It just shouldn't be a goal without consideration of the total business impact.

After all, people are all different. If the technology is all the same, it obviously won't work as well for some people than it will for others. The question to ask is whether the benefit of uniformity outweighs the cost of productivity.

Related posts

• Mythic Monday – Love and Creation (0)

As with most works of art, the easy path to drama is to create a security failure. It makes sense, after all. As a creator, you may have a need to push your characters at time, and the easy (lazy) ways to push a character are to create a situation for them to react to. Thus, viewing the worlds as if they are real is a bit unfair... but on the other hand, nitpicking is fun.

In the world of Harry Potter, there are several security situations. The world of magic has to be kept a secret from all the muggles, the evil people have to be kept out of Hogwarts, and what is kept in Gringotts must stay in Gringotts. In fact, we know that there is some sort of magical muggle spy network, as Dumbledore knows to investigate Tom Riddle prior to his acceptance into Hogwarts. Why this same network can't detect the attack upon Harry by the dementors in book/movie 5 is unclear. Clearly, they need to invest in redundancy for the system.

Similarly, Hogwarts seems to have a surprisingly difficult problem keeping students where they belong. It took until book/movie 6 before they put up a firewall around the school, and even then, attackers manage to encapsulate an attack within a legitimate source (Katie Bell) and also fail to Draco's VPN bypass (terminated by vanishing cabinet). It seems that magic should be able to do better.

In contrast, Voldemort clearly knows a lot about security. He makes backup copies of his soul, just in case something happens (like a backfiring killing curse). Granted, the restoration process leaves a bit to be desired. If he really cared about operational availability, he would have tested the process and avoided that whole 12 year delay issue. (And here I thought 24 hours to deliver backup tapes from the offsite repository was a long time.)

Similarly, given that it's been established that there is a thing called "a trace" that can detect when someone casts a spell. You'd think that they could use the same practice during quidditch matches to prevent the audience from interfering with the play... but they don't. As a result, there are all sorts of amusing and dramatically-appropriate hijinks.

Lastly, in an environment where a bunch of students are awash in teenage hormones AND are constantly playing with potions AND know that love potions exist, you'd think that there would be an emergency bezoar in each dormitory. But there's not.

It would be interesting to see what the world would be like if there were more audit-focused monitoring points, reactive responses points and preventative spells. However, just as in the real world, these sorts of technologies are tempered by the economics of the situation, in the fictional world, there is a trade-off with dramatic tension. Sure, there are a lot of things that Dumbledore could have done to increase the relative safety of his charges, but to do so would have drastically reduced the possibilities for dramatic tension.

This would have reduced the number of books from 7 to likely 1 or 2. In our universe, Dumbledore lives for six whole books. If he had been a more protective head of Hogwarts, Voldemort may have been defeated much more quickly and the series would have been reduced. So, like most people, Dumbledore made a self-interested decision that had ramifications outside of himself. He got to live longer and be in an incredibly popular series of books and as a result, many of his students were placed in some wonderfully dramatic jeopardy.  That's something to consider, I suppose, when there are security decisions that you have to make.

Related posts

• No related posts.

Basically, this means that by phrasing a choice differently, you can guide people into making the choice you want them to. I've seen this used on the sales side of things, but I have to wonder whether it's an intentional abuse of this tendency.

As I see it, this effect is useful to note in both offensive and defensive capacity. On the offensive side, if you're needing someone to make a choice and you want them to take a risk, you emphasize the negative consequences, but if you want them to take a guaranteed path that may be incomplete, you emphasize the positive. For example, suppose you are pitching an idea to management. The idea has a 80% chance of success, but has a $10k cost. If you want them to accept your idea, you need to understand that the natural tendency would be to make the choice that preserves the certainty of saving $10k, rather than risking the 20% chance of failure. Thus, to be accepted, the proposal would need to either eliminate certainty altogether (perhaps tie the cost to averted loss offsets and phrase it as "between zero and $10k, depending on success") or focus on the certainties of the results. Thus, if the 80% projected success rate can be broken down into one set of guaranteed successes and some that are maybe 40% likely, the proposal can focus on $10k for a guaranteed success with a bonus opportunity for further improvements.

On the defensive side, you should be aware that it is natural to think this way and that others will try to exploit your tendencies along these lines. Whenever you are presented with a choice (well, one that matters anyway) you should ask yourself whether it is phrased positively or negatively. Then, knowing that you have a tendency to preserve positive outcomes but take risks to avoid negatives ones, flip the phrasing around and see if the other choice makes sense. If you find that your choice flips with the phrasing, then this bias is in play and you need to think things through more carefully.

Related posts

• Bias Thursday – Déformation professionnelle (0)

1) Take twenty minutes and make a list of all of your Internet sites in a spreadsheet. Try to remember all of them, not just the common ones. There's a list below to get you started:

2) Go to the login page of each site and click on the "forgot your password?" link. Yes, this will reset your password, but that's the point.

3) Once the new password arrives in your email, look at it. Does it sound like something you'd pick for yourself? If so, there's a good chance that they're not encrypting their passwords properly. Create a "secure" column in your spreadsheet and mark them as "no".

4) If the password arrives and looks random, then they reset your password for you... which probably means that they can't access your password directly. This means that it's probably encrypted in the database. Mark these as "yes" in the "secure" column.

5) There is a drawback to this plan, and that's that all of your passwords will change. Most of the sites that you marked as secure will force you to change your password when you log back in. If they don't, change their "yes" to "no".

6) Now you have a list of all of your sites and know which ones are the more trustworthy. The last step to this sprint is to reset your passwords to something more secure. There are lots of articles and tools out there, and I see no need to add to the pile. All I'll say is that you should pick ones that you can remember and that aren't the same for all sites. If you want to use really complex systems, look into password wallet software.

7) Once all your passwords are changed, and you have an idea of how risky your sites are, you can proceed with your Internet life in relative security.

• Email: Gmail, Yahoo Mail, Hotmail
• Social: MySpace, Facebook, Livejournal, Twitter
• Professional: LinkedIn, Plaxo, Namez, Zoominfo, Notchup
• Images: Flickr, Photobucket, Smugmug
• Documents: Scribd, Docstoc, Instructables, SlideShare
• Shopping: Amazon, Zappos
• Bookmarking: Delicious
• Video: YouTube, Vimeo

Related posts

• Mythic Monday – The Sphinx (0)

Of course, that's the tourist spiel. In actuality, the "glow worms" are larval gnats that produce mucus and spin out long threads to entrap moths. When a moth becomes deluded by the mights and becomes trapped in the sticky threads, the larvae pull up the moth and liquefy and suck out their internal organs. After secreting mucus and dining upon moths for up to a year, they transform into gnats whereupon they mate and die... which seems like a lot of work to me, but then, I tend not to be consulted in matters such of this.

However, the lesson here is a good one. Namely, it's probably not worth travelling all the way to New Zealand to visit the the phosphorescent snot worm cave. However, a deeper lesson is that light attracts bugs. (Sure, I could have blogged about the moth and the candle, but then I'd not be able to talk about glow worms.) If you want to know something about the insects that inhabit a cave, just put out a light and see what comes visiting.

We do that in I.T. security to help identify the attackers that are on the Internet. We call them honeypots, which is likely a reference to Winnie the Pooh (I hope), but since I am not (yet) linking children's literature to security, we'll ignore that bit for now. Instead, we'll take a quick look at the value of Lepidopterisy. Just as a scientist can look at the types of moths ensnared in sticky mucusy silk and learn a lot about the ecology cage, a security researcher can examine the malware and attacks found within a honey pot and learn a lot about the sorts of attacks that they may be subjected to.

By creating your own honey pot, you get a chance to deal with attacks before (hopefully) they impact your production systems. However, just like fungus gnats larvae don't ignore the moths that stumble into their "webs" (strings, really), in order for this to be effective, you can't ignore what gets caught in the honey pot either.

Related posts

• No related posts.