DHS, the government, and "cyber" security

The White House issued their "CyberDream" last month titled the "International Strategy for CyberSpace." The strategy is chock full of wonderful thoughts and ideas about what cyberspace should look like and even has a few really excellent threats leveled at people who may want to attack the US. The majority of the document seems to be a plea for other nations to share "our" vision. On one hand it would be amazing to have multiple nations sharing information and standing against those who would seeks to do harm or gain information illegally via the digital realm. On the other hand, why don't we just defend our own assets better. If I had an extra hand I might suggest a blend of the two.

Really, I doubt it will matter since the government will want to be in charge of the whole program including some of the highly technical aspects. This is evidenced by DHS being funded with over 40 million dollars and their attempts to continue to hire infosec personnel. What's wrong with that? I am so glad you asked, nothing would be wrong with that IF DHS is hiring new top-level decision makers along with the technical folks. If the same policy makers are in charge, nothing will change. They will hire bright and talented young technical folks then ignore their recommendations and lose them to the private sector. Also known as "status quo." Reading the DHS, and other government, initiatives on hiring they appear to believe that the only problem is the pay. That may be part of the problem, but the real issue I have seen is the promotion of the wrong personnel over time. The last government place I worked had dug a hole so deep and wide they didn't even know they were in a hole. Several manager level personnel possessed zero technical skill or knowledge yet were making decisions regarding technologies they didn't understand. They were also responsible for hiring but didn't know how to hire since  this field has been overrun with certifications, "policy analysts", and general confusion.

How bad is it? That used to be difficult to quantify but take a look at the major breaches that have happened in 2011. HBGary, RSA, and Lockheed are security-centric shops with deep technical talent that were pwned with techniques taught in any pen testing class you might want to take. The Oak Ridge National Lab was taken hostage and had to be disconnected from the Internet for weeks. Many of these intrusions were blamed on "APT" but they were not advanced techniques and they certainly didn't persist for very long. What really happened is the age-old theory of "acceptable risk" is being put to the test. If your entire enterprise can be jacked when one person clicks a link or opens a file something is not quite right. I have performed enough penetration tests to know that this is common and the excuses for not implementing deep, separate layers of security are many both valid and otherwise.

What's the fix? Get red teamed or pen tested using real techniques. Make sure the people performing the tests offer mitigations and remediations for the vulnerabilities they discover and exploit. HIRE THE RIGHT PEOPLE and GET RID OF THE WRONG PEOPLE. I cannot stress that enough and I know hiring is difficult. If you don't know how to hire the right people, then you shouldn't be doing the hiring. I don't mean that at all in a rude or arrogant manner, simply ask for help and the infosec community will help you. I would be glad to assist your hiring, resume review, and interview process. I watched a government site two years a go replace a talented mid-level technical cyber ninja with a junior in college who knew nothing about security. Now I am all for bringing up new folks and teaching them but you must keep good technical people and hearing the phrase "we just need to hire people who get along, not anymore smarty pants" was discouraging. I believe the government CAN do it right if they want to. Challenge the status quo, admit when mistakes are made, and persevere. Hire the right contractors to assist you. For some of us it isn't about money, it's about doing security right to protect assets as a higher calling. You do it right, because it's right.


APT = inAPTitude please pass the FUD

So, the Oak Ridge National Laboratory was absolutely pwned. How do we know it's "that bad" you ask? If they had to unplug from the Internet (read Facebook) for any amount of time, you know it's not good. I feel like we should address the immediate assigning of the breach to a determined nation state. Here's why I don't think you can call this APT now. For the record APT is defined well here:

1. The incident analysis is ongoing. There's no way they have had time to give full attribution already. If they could, you wouldn't need to completely disengage from the entire Internet.

2. A phishing attack with and alleged IE 0-day is not that advanced. Anyone with basic skill in Metasploit or the Social Engineering Toolkit could have done this with a 10 year old payload and completely bypassed whatever A/V they think protects them.

3. That place is wide open. For the most part it's an academic research facility full of foreign nationals several of whom are from "sensitive countries", whatever that means. One walk across the lawn and you will see enough to know what I am talking about. This is not to say that anyone form a foreign country means the US harm.

4. That place gets owned all the time. I mean just use Google and you can read about it happening every few years. Despite this the same personnel and outdated protection schemes remain instantiated, welcome to the government.

5. The lab director states there was no large-scale exfiltration detected. If you had an advanced determined attacker, they could exfiltrate without you knowing. Seriously, what ports are you allowing outbound from your users. When they SSH tunnel out to avoid your proxy do you know what data is in said tunnel?

6. Even if you get some IP address in a nation we aren't cozy with, that isn't immediate attribution to said government. That could be someone in this country using one of their IP addresses as a pass through. Jumping to conclusions during an investigation is unhealthy and may give a false sense of closure.

I was saddened to learn this happened at ORNL. It was worse to have the director of the lab jump on the bandwagon of APT before the post-mortem analysis is complete.


Smart Grid Standards Groups

One of my co-workers estimated there are approximately 46 groups working on standards for the smart grid. Above is a partial list of the folks trying to work this out. I, and others from EnerNex, regularly contribute to these groups within our own areas of expertise. It will be interesting to see how things boil down once you have to migrate from a standard to an actionable solution. So far the cooperative effort is excellent. For all those involved I offer a free Internet high five.


Mid Atlantic Collegiate Cyber Defense Competition (CCDC)

Wow! Let me say that once more WOW! Thanks to all the companies and other entities that sponsor this event as the next generation of "cyber warriors" is being educated. Boeing contacted my company, EnerNex, to see if we would be interested in assisting with certain aspects of this year's competition. This was shipped over to me since I am a penetration tester/security analyst. I was unable to help with the smart-grid scenario that had been planned for the competition and felt really bad about that. I flew up there on my birthday feeling just terrible that I had not been able to assist in any way. When I landed I sent a message to Casey O'Brien and Tim Rosenberg offering to help however they needed. Big note to self, do that more often. I was moved in the White Cell for the competition, specifically I played federal law enforcement for incident response in an effort to teach the blue cell how to submit accurate actionable information to law enforcement. Now on to how the event played.

The Teams:
Red Cell: Attackers, crackers, hackers. Their goal is to penetrate your systems, gain and keep access and wreak havoc.
Blue Cell: Defenders, their goal is to respond to current attacks and prevent future attacks. There were blue cells from different colleges and universities.
White Cell: These were the folks judging the business injects and observing the team. Additionally, certain members were designated as federal law enforcement. LE members were allowed to give limited guidance if a team was really struggling.
Gold Cell: Operations. These members were responsible for making the equipment work, scoring the game and keeping everything running. 

So what did they have to do? I am so glad you asked. Blue cells were given several nodes to defend based on a viable business scenario:

Business Scenario: Haven Electric CoOp (HEC)
Each year, the CyberWatch Mid-Atlantic CCDC presents a new exercise scenario and cutting-edge technologies that mimic those in the real world. This year’s scenario involves student teams working for the Haven Electric CoOp (HEC), a national electricity provider. With operations spread throughout the United States, HEC is a leading electric grid manager and reseller of Power Management Units (PMUs).
Because of risky investments, HEC has fallen on hard economic times and has been acquired by the U.S. government. Given the unstable future of the company, most of the IT staff has left for other jobs, while those remaining are less than effective. As a result, the government has brought in contractors to replace all the IT staff. The student teams are these contractors.
The student teams will be charged with maintaining and securing the network, while providing critical services and responding to the demands of clients, end users, upper management, and others. As employees of HEC, the students will also have access to the HEC Credit Union, where they can conduct their day-to-day banking.
Now what do they defend:
inside the firewall: 
Ms-Exchange 2003
MS Win 2008 AD server - 10,000 user accounts
Open PDC manager
Splunk - Ubuntu 10.x
MyBanco - Ubuntu 10.x
OpenPDC DB - Ubuntu 10.x
LibkiWikiID - Fedora 14 
outside the firewall:
Red team had a 30 minute head start so, if you haven't attempted to defend a network before, everything was already compromised by the time blue even "got to work." In addition to the aforementioned devices, each contestant wore a badge with an 802.15.4 ZigBee radio which beaconed every ten minutes with a predefined integer. The integer was power usage data so that, in effect, all players were wearing a smart meter that updated itself regularly. The meters were also in play and at the end of the first day, one blue cell member had somehow managed to use over 1 billion kilowatt hours. Larry Pesce built the badges and wrote the software that was used on them at a final price of $32 per badge, most excellent job by Larry. Some other nodes that weren't readily noticeable were two Cisco 7960 IP phones and a web-enabled surge protector which some red cell members took great delight in attacking.
At the end of day 1, there was a "corporate meeting" business inject requiring all blue cell to immediately leave the competition floor. For 10 minutes the red cell was allowed physical access to the blue pit where they wreaked havoc by taping Ethernet cables, swapping cables around, and running custom tools to add users and acquire password hashes. In ten minutes, the red cell successfully touched every blue cell node.
The days were long yet quite rewarding. I enjoyed helping the blue cells learn how to submit incident reports. Though I frustrated many of them by continually rejecting them for lack of evidence they began to learn that I needed who, what, when, how, and maybe why to give attribution to an actor(threat). They also had to learn that it isn't what they think they know, it's what they prove by providing corroborating evidence such as logs, files, and screenshots. Additionally, if a team was really struggling, I could provide hints and suggestions or in dire cases I could take the blue cell member aside and have some teaching moments as they struggled with the complexities of being assaulted not only in the cyber world, but in the business world as well.
Did you say the business world? Yes, I did. The "CEO" flew in to interview the team captains after he learned that some of his assets had been compromised. Each captain was given the "opportunity" to sit and tell the CEO the state of affairs of his network and data. Some young folks responded with poise, others literally shook in their chairs, and still others refused to have their follow-up meeting. This was also excellent training that should help close the gap I have seen where non-technical people are not getting promoted. This also gave me an opportunity to speak with some of the captains outside of "the pit" (competition floor) to explain some of the terms used by their CEO and help prep responses in his language.
This was the best training a future IT security professional can receive and I truly appreciate that EnerNex was kind enough to send me. Being able to assist in events like this gives me hope that things can get better in InfoSec. It's always a pleasure to share experience and knowledge with those who are seeking a career in this field. Many dedicated educators are attempting to do this but they need practitioners from the real world to assist and fill in the gaps. I look forward to assisting more in this area both at our local schools here and with some of the colleges and universities I interacted with at this competition. I met some great students, faculty, parents, and sponsors. I also had the wonderful privilege of working with Casey O'Brien, Tim Rosenberg, Matt McFadden, Gary Stoneburner, and many others. Please keep in touch everybody.
For the curious:
Sponsors: - we can't thank you enough


Smart Grid Security East

I had a great time at this conference and got to meet some great folks. I also had the opportunity to be the first speaker on the first day which really helps the other talks as I set the bar pretty low. My two favorite talks were Travis Goodspeed leaving the crowd in stunned silence with some of his hardware ninjary, and Ido Dubrawsky from Itron during the AMI security workshop. Ido gave a great talk that was grounded in facts which is sadly lacking sometimes. Stephen Chasko and Ed Beroset also gave good talks from a vendor perspective. For the panel-style talks, I naturally enjoyed the penetration testers over most of the policy and strategy panels. I will have to say my favorite moment was a vendor offering perhaps a tiny bit of marketing hype being asked from an audience member "Are you saying you are guaranteeing absolute security from that point forward?" Of course, the vendor was not offering that and the talk proceeded smoothly. I enjoyed that because it represented the spirit of the conference. People spoke openly and disagreed with each other with facts and perspectives without anything devolving into chaos. There was even a meter vendor panel where they seemed to be working towards common goals regarding smart-meter security. A goal going forward is to get SCADA vendors involved and provide utilities with a way to share security-related information if they are experiencing an incident.

I was also privileged to connect with several gentlemen and ladies considered by many to be the leading experts in the efforts to make the smart grid secure. I cannot list them all but literally everyone I met was making a contribution to this effort. I can't wait to see the next event, it should be even better.


The Song Remains the Same

So Stuxnet was a "game changer" because we saw a private separated network get JACKED! Let me share some of the responses I have heard:

"They shouldn't have been using Windows"
"Stuxnet was no big deal if you weren't the target"
"There are enough other people that are vulnerable, they probably won't come after us"
"We have firewalls, IDS, and AV."

These comments come from vendors, CISOs, and security architects. Hi, you are missing the point. If you focus on the specifics of the attack these are somewhat accurate statements. If you look at the framework of the attack it should make you aware that you are at risk. Some components of Stuxnet were very generic and can provide a framework for future attacks. Check out this page by Ralph Langner:
 Here's a question to ask your CISO or security team lead or whoever you have entrusted your security to.:

"How can our firewall (also include AV, IDS, etc) be defeated?"
"How can an attacker exfiltrate data once they are inside?"
"Can you (security d00d) exfiltrate data without anyone knowing?"

If you saw the report on Night Dragon, you saw another example of energy being targeted. The target was compromised via SQLi and the attack progressed using fairly standard simplistic techniques. No ofeense to the target is meant here, I am targeting the mentality mentioned above. These folks had firewalls, AV, proxies, and policies. Their controls were overcome at every step with what the incident responders called "simple" techniques. Simple is a relative term and the timeframe of the attack is not discussed. If this attack took place over a span of weeks it is relatively easy to recreate. If this attack was done in a matter of days or less, it was well-planned and executed. 


Critical Infrastructure Hacking FUD

Let's take a minute and talk about some of the FUD being slammed all around regarding critical systems hacking.  We are talking about the electric power system, water, and other utilities or critical infrastructure. This article came out last week: Stating that hackers can't do weird stuff to Hoover Dam. That article is accurate. Twitter exploded the same day with infosec and pen testers screaming "yes we can!" This is also accurate. We have to temper some of the almost outlandish claims we attackers make with the "you can't touch us" claims of infrastructure. 
Why is the wired article true:
1. Separated networks - The Hoover Dam (critical infrastructure sites) are not web apps that you can just stick in a web browser.

2. Infrastructure stuff breaks all the time - These people are trained to respond to outages a lot better than the IT in some organizations.

3. Hackers aren't breaking news - Infosec incidents get published all the time and, sometimes, utilities take notice and plan for these things.

Why what the hackers are saying is true:
1. Remember Stuxnet? - Those targets were air-gapped and didn't touch the Internet.

2. Resiliency != Security - Infrastructure people will say "when was the last time your lights went out?" when the question really is "When was the last time someone wanted to make your lights go out?"

3. Hackers evolve - When people start figuring out patching, web apps and client side attacks shift to the front. When people get leery of those techniques bring on insider threats and social engineering.

You have to get both sides of the story to understand the problem. If you are using computers, networks, and software you have risks. Reducing your attack surface by using air-gapped and private networks is an effective layer of defense. That said, security is never "done." It is an ongoing issue and it must be tested continuously. Insiders cannot be trusted, sometimes this is because of bad intentions, and sometimes it is because people make mistakes. We also have instances where you have say a SCADA operator granting remote sessions and connections for service or maintenance on the system, or they figure out some way to surf the web from their console. In case you have the world's best workers who never look for a way to goof off, we have the removable media attack vectors. I will leave a nasty USB drive in your parking lot or Starbucks and watch who picks it up etc.

Does your blue team tell you they can't be breached? If so, go find a red team and let a real-world scenario play out with them, you might learn that your team is as great as they say they are. You might find that they are unaware of certain vectors into your systems. For example, let's pretend you are performing a test of a "closed system" and everything initially seems to indicate that this is true. Then you notice you can resolve DNS names like Google, but you cannot not get to the Internet via a web browser, the system isn't touching the Internet right? WRONG! Your assigned DNS servers, initially RFC 1918 addresses,  become public IP addresses when you reboot while connected to the "private" network. Out of curiosity, you try to touch those servers from your home ISP and you can. This is news to your client since they had been assured otherwise by the provider. Maybe it even said that in their SLA.

If you read the link regarding the Hoover Dam, someone who appears to be from the public affairs office is posting comments about how that cannot happen. You will see other folks asking how employees communicate and are part of the electric smart grid if they are so isolated. You cannot have it both ways. There's an example of someone touring a power generation facility and asking about security and the operator saying "We aren't connected to the Internet." The person touring asks how they receive communications and directives from their main facility which is several miles away. The operator points out that they receive e-mail on the control system machine. Now this is where perspectives will really diverge. For me, it's not the same to say you don't touch or use the Internet when you are, hopefully, using some sort of VPN tunnel. I view separate as not touching, tunneling, sharing a switch/router, or even the same network rack. SEPARATE. Don't get me wrong, I understand how extremely cost prohibitive it would be to build out your own personal WAN but it can be done. For the govie "cyber" security architects, there are a lot of good models to look at. Companies who have customers and dollars to lose take security pretty seriously.  

So can hackers open the gates of the Hoover Dam? No one has let me test it so all I can say is "maybe." The attack probably won't be attempted from some kid's basement but that doesn't mean it cannot be done. A lot of people say they aren't connected to Internet when they really are. All systems have vulnerabilities but not all vulnerabilities can be exploited with the same level of ease. Be a critical thinker and get both sides of every story.


Logging, Monitoring, and Defending (IDS/IPS)

Yesterday one of the email lists I monitor was debating the best IDS/IPS for large-scale implementation and the Einstein project managed to surface. I followed the topic for awhile but there wasn't much debate however it did bring up some of the more interesting points I have noticed over the past decade in infosec. Some places still don't want IPS, they are content with IDS and just want to reduce their response time and have forensic evidence available when attacks occur. The biggest debate I see is how to choose a product to defend with. This used to be a private vs. open-source argument, and sometimes still is. Lots of people decide to implement SNORT so they only have to buy some hardware, other buy SNORT via SouceFire and get some support. Other folks like to get a pure commercial solution which can be capable of much higher detection speed depending on how fast you need to go. The current rulers in IPS for the commercial world are Juniper and Tipping Point. McAfee is coming on strong after purchasing a competitor, re-branding and getting up to speed. What I found most interesting was that someone brought up using a government-made system. Historically, the government doesn't have a great track record for keeping things secure. Not all government entities are created equally since different personnel work at different sites and agencies so we will have to wait and see how this group does. Personally, I like COTS solutions when you are defending large-scale implementations for the speed and support. That isn't to say your people aren't capable of deploying something different and being secure.

Whatever way you choose to go, don't end up like the diver in the picture. They have on all the necessary gear yet are unaware of the clear and present danger(picture is fake). You will NOT implement an IDS/IPS and be secure simply because of its existence. You absolutely must log what happens and figure out a way to monitor your traffic. There are aggregation and correlation products out there that can take your vulnerability scans and/or customized input so that you don't have to be alerted when a Linux exploit is headed towards a Windows platform and vice versa. The goal for your implementation is to help your security posture. The ability to log is critical but logging doesn't mean monitoring, and monitoring isn't always effective if it isn't actually human readable. Without a, in my experience, significant amount of customization and tweaking an IDS will be spewing way too many alerts for an analyst to track. You may be doing your parsing with custom scripts, vendor filters, or a combination of the two.

I am anxiously waiting to see which way the smart grid will choose to go. It seems like the current feeling is that nothing would be able to monitor the massive amount of traffic and nodes (millions) that might be generated on some of these networks. Hey IPS vendors, we are looking at you.


Wiping hard drives to stop wasting money

I saw this post today and can't believe this myth is still out there. Here's the scoop, go ask an IT person "How many times do I have to wipe a drive to completely erase it?" You will hear many answers and the most popular will likely be 3 times, 7 times, it can never be erased. Let's clear it up. If you make one pass correctly your mission is accomplished. This is how magnetic media works, feel free to test it yourself with the forensic/data recovery tool of choice. How does wasting money come into play?

I was once part of a project testing multiple web proxy vendors. A work policy stated that hard drives could not be returned to vendors and all drives had to be degaussed then shredded. This was for non-classified material that would be tough to even call sensitive. One vendor was set to charge around 16k for the drives in their product. In order to avoid this charge I began asking if there was a waiver process, how it worked, and if the policy was in-house or from a more "legal" entity. Sure enough, there was a waiver process. I filled out the (un) necessary forms and also attempted to explain why this may not be required in the future in order to save my company and the vendor money. No amount of demonstration or discussion seemed to convince people that seven passes, degaussing, and shredding were the only way to maybe prevent our data from falling into the hands of the empire. This was a two-week process with regular chastisement received by me for even attempting to return a drive. At the culmination of the project I erased the drives manually using dd and then handed them to our other forensic examiner to ensure he could not retrieve data. The data was gone, the drives returned and we managed to save thousands of dollars. As I gave the final status report one of the managers stated "We probably could have saved $16,000 if we had just followed the policy." Feeling offended by that I retorted "If the policy is technically inaccurate or wrong, we should fix the policy because it makes us look stupid." Not my most humble moment.

As far as I know that company continues to destroy drives in the name of security that could be recycled, reused, or returned . This effort likely costs millions of dollars annually and provides landfills with many tiny shards of metal that will never break down. Policies are good things when they are accurate.


Acceptable Risk (What's it going to take for security to be important?)

It was an interesting weekend in the cyber-security world to say the least. Some guy who goes by"srblche srblchez" began selling .gov, .edu, and .mil websites or more accurately control to those sites. For attribution I am pulling information from multiple sources such as:
Rafal Los' interview with the dude:

Brian Krebs blog:

Martin Bos (purehate_) found the real site here:

Some of the , excellent, points from information security pros are the hair-pullingingly frustrating "I told you so when I tested your environment." I think every pen tester and blue teamer out there has felt this at one point or another. Several talks I saw online last year focused on the fact that we haven't adequately communicated to the decision makers how security impacts their mission or their bottom line. This is completely true. I have seen pen-testing reports that are purely technical and not readable by management executives. Rafal asked "What will it take?" Based on the way we teach economics, and the gazillions of people getting their MBA, it will take a direct tie to putting dollars into the company's pocket. CFO/CEOs want you to be able to answer this question:
"If I invest dollars how much will I earn?" or "If I don't address vulnerability how many dollars will I lose?"

These are not easy questions to answer and a penetration test only brings part of the answer. The larger answer comes from business case analysis and understanding a failure scenario surrounding the vulnerabilities discovered. Until security equals dollars in a pocket then it will be tough. We will continue to fight the "acceptable risk"

This line of thinking comes from my experiences attempting to align security with business mission. I once wrote a five year strategic plan for an organization aligning the mission of security with the mission of the organization and it was completely disregarded. The point is not that my work was not used, the point is that it didn't even generate discussion. No talk, no action. In fact they put someone in charge of security that clearly stated there were almost no problems with their current mode of operations despite test results to the contrary. Even moving beyond that, the group had little funding despite security being "important" to this organization. Sadly, this was not a unique situation. The companies I have seen do security the best were those that know their reputation is on the line and understand that a breach would lose them customers(dollars). Sadly, this would exclude the types of sites that were compromised.

Here are the points for people in charge:

  1. Hire the right people - People who are seeking to learn perpetually and understand that security yesterday is being pwned tomorrow. A project manager or policy maker should not be making technical decisions they do not understand.
  2. Fund these people - Security should be 15-20 % of your IT budget every year. If you haven't seen an equipment upgrade or product requisition for a few years, something is wrong.
  3. Yesterday's technology (firewalling, IPS, DMZ, A/V) needs help - Anti-virus programs are necessary but don't rely on them If you think updated definitions protect you, look up Shikata Ga Nai.
  4. The "help" is your people - Talented infosec people are your only defense. No device you buy is a silver bullet and salespeople will say anything to get a sale. If you don't believe me get a DLP solution and winzip and see for yourself
  5. Test your environment with real scenarios - Don't prescribe the environment to the testing entity. Make it as real as possible or you will never know where you actually stand and be lulled into a false sense of security.
  6. Policy without a technical control is faith - Don't just tell people what not to do, actually prevent it. "We don't allow portable media." is a lot different than "We really hope people aren't using portable media and we will fire them if they do."
  7. Policies and controls must line up - Don't tell your people to have and 8 character password with mixed case and special characters then make them have a password with six characters, single case, and no special characters. (yeah, I have seen this)
  8. Security policies should be written by security people, not HR - If you don't understand the policy, more specifically how to break it, you probably shouldn't write it.
  9. There are more but I 'm tired.


Stuxnet is a US-Israeli joint operation

The NY Times published an article which does not cite named sources. This is normal and acceptable in journalism, I won't beat that horse. I would like to point out that it is all speculation at this point.

The buzz about this started over the weekend and the “confidential sources” part is what’s keeping it interesting. It is worth noting that the source could be Iran itself. The clues in the code, dates and “Myrtus”, could just as easily be a smokescreen. Some speculate those clues were planted to throw investigators from the actual trail. Here’s Iran saying we did it:
Interesting points I observed about the video.
1. No Iranian is shown, scientist or not, in footage with the reactor
2. All signs on walls and doors are in English.
3. Everything in Persian or Farsi or showing Islamic symbols is just paper taped to the walls

"Cyber Warfare"

This term has been thrown around a little and yesterday the Organization for Economic Cooperation and Development (OECD) released a report saying that "true cyberwar is unlikely." Here's an excerpt that was sent to me for comment:

“There is nothing new in what the hacktivists are doing,” Mr. Sommer said. “It really should not be exaggerated. It’s really more like the kind of thing Greenpeace does.”

“We have to get used to the fact that popular protests, as well as skirmishes between nations, are going to have a cyber dimension,” he added. “Some people say cyberespionage is just a few clicks away from cyberwar. It’s not; it’s just another way of spying.”

Report challenges cyberwar doomsday scenarios
New York Times January 17, 2011

A new study commissioned by the Organization for Economic Cooperation and Development says a true cyberwar is unlikely, and that -- unlike scenarios painted by many recent books and articles on the topic -- advanced countries could recover from such a conflict within days, even hours. "You have this sort of competition between writers to say, 'I have a scarier story than you do,'" said co-author Peter Sommer of the London School of Economics.

I agree that sometimes infosec folks can get into the habit of telling the scarier story. If that scarier story is true though shouldn't we take heed? I responded with the following:

This is an interesting take and really just seems to be a language issue. I suppose it all depends on how you define "war" and "warfare." Mr. Sommer's quote "... skirmishes between nations, are going to have a cyber dimension,” is war in some people's eyes. Also, if it's "..just another way of spying" do wars ever start because of more traditional espionage? I also don't really understand the Greenpeace reference since they don't really attempt government-level espionage. As for the statement that "... advanced countries could recover from such a conflict within days, even hours." That's a great point, cyber-based attack would only be devastating if followed by a tactical operational attack to take advantage of the service disruption. The ability to disrupt, or intercept, communications to and from your target would give you a significant advantage. This ability has brought about encrypted communications by default for the military while critical infrastructure has not yet seen the need for this. One of the issues we discuss with our customers when penetration testing is to assess the impact of the operational decisions made based on information received from a field-connected device. Can I get a human, or machine, to initiate an action if I provide false data?

In 2008 Russia attacked Georgia and used cyber attacks as part of their campaign. I wonder if that would be considered cyber warfare by the authors or just a skirmish? Then, to be fair, I wonder how Georgia would define it.

I believe cyber "war" is a reality and will be used as a component of real large-scale attacks in the future. What do you think?


We lost a good man yesterday

The attached song is one I play when my heart is grieving but my spirit is rejoicing. When I saw Mercy Me perform it the first time they shared the heart-wrenching story of how it had been written and it seems appropriate today.
Jason Kennard died last night in a car accident. When I was in the praise band at The Church at Sterchi Hills, his wife Lisa would always ask for prayer that the Lord would convict Jason and he would be saved. During this time, we built a new building and had a week-long revival to celebrate the opening. During the revival Jason came to hear one of the messages and received Christ as his savior. It was one of the greatest moments God has allowed me to witness. Shortly after this, Lisa was in Florida and Jason "dropped dead" of a massive stroke while home alone with his young children. I remember clearly sitting in the ER waiting room at St. Mary's hospital waiting for Lisa to return home from Florida so that Jason's life support could be removed. While we waited, and prayed, Jason showed some level of responsiveness which then prevents life support from being cancelled. Also during that time, one of Jason's friends contacted Lisa and told her that God had told her that Jason would be raised up from this because the Lord had plans for him. She quoted Jeremiah 29:11 "..For I know the plans I have for you,” declares the LORD, “plans to prosper you and not to harm you, plans to give you hope and a future."(NIV) I had the wonderful opportunity to spend every afternoon for the next two weeks watching Jason be healed by the hand of God. Each day he became more responsive and gave everyone a visualization of faith. Jason beacame a faithful servant of the Lord, leading his family and being the man God had called him to be. He was a walking miracle and one of the examples God showed me of walking through the fire of life's trials and emerging as a better man on the other side.
Please keep Lisa, Zack, Whitney, and Seth in your prayers. We know that Jason has been raised up by the Father and healed but our earthly hearts still hurt for the man we will be missing.
Grace and Peace to you.


Compliance != Security

We have so many compliance regulations and auditors now that information security should be getting exponentially better every year. PCI just came out with a new standard, HIPAA received an overhaul recently, and who knows how many other NIST standards are being re-written and re-worked. This is not the case; we see compliant entities are hacked all the time. Worse, they are hacked with what seems like the same old techniques. Disclaimer: I know some talented auditors and they understand where the pitfalls and shortcomings are, do not blame the auditors.

I understand, and sympathize, with the fact that some you have to be compliant to some organization. I also believe that compliance was (is) a good idea and that it means well. What appears to happen is that compliance becomes something you can purchase. We also believe that a compliance-based certification makes our auditor an expert. Business owners want to know "How secure can I be for n dollars?" "How much will it cost to be secure in area x?" For some reason we (security dudes) have not adequately conveyed, (or maybe we have) that this is not a static black and white area. Threat and attack vectors shift and change from day to day, hour to hour, and sometimes form one minute to the next. Is there an effective way to combat this without bankrupting your organization? Can this be done without implementing a police state on your users? Yes, it can. Can you be "hacker proof,” ever relax, and do things the same way you always have? No, you cannot. Working together with the right information security personnel, policies, procedures, and technical controls, you can bring balance to the force.

When preparing for an audit, remember that an auditor can be used to enhance your security posture. One organization I have seen in the past viewed an auditor as an enemy and spent weeks planning how to lie and hide things. It would have been less expense and effort to be compliant. The auditor you choose, or is chosen for you, can also determine your security posture. An auditor with experience as a penetration tester is likely to ask better questions when using the unfortunate checklists. An auditor who is only trained to observe a checklist may view things differently. For example, firewalls are typically required by compliance mechanisms. An auditor thinking like a hacker is used to overcoming and bypassing firewalls and may choose to audit your rule set or assist with configuration changes. You may have a best-of-breed monster firewall but if you have 700 exceptions then you may be leaking data. Web proxies are another good example. You may have every user flowing through a proxy to prevent abuse, drive-by downloads, and policy enforcement. An auditor with a penetration testing background may think to ask how many SSH tunnels (users possibly bypassing the proxy) are exiting your network where a standard auditor may not think of this. Remember, not all CISA, CISM, and QSAs are created equally. If you need an auditor, send me an email I know several excellent folks that are also active pen testers.

Next, make sure you do prepare for compliance, or certification & accreditation audits. How you prepare is critical. While you should make sure you are prepared for the auditor's checklist, do not stop there. Do not assume an attacker will be using that checklist or that the creator of that checklist thinks like an attacker. As a best practice, have an independent third party red team your environment. Penetration testing from multiple perspectives can provide excellent insight concerning your security posture. Being tested externally and internally from black\white\crystal box perspectives will provide you with a comprehensive understanding of where you stand. When I say third party I mean completely not affiliated with your organization. If you are a govt agency, I am not referring to your agency's IG or internal audit. Hire people who will think like a bad guy but are not part of your blue team efforts. There are several reasons for not using your own people; I will list a few here:

Your people are familiar with your culture and environment. While this can be a good thing, it can skew results by overlooking points of failure or vulnerability.
Pride may come into play. How forthcoming will your people be in pointing out issues in a program they have spent years "perfecting."
A third party does not stand to lose (or gain) from your organization's internal culture. (Performance reviews, bonuses, profit sharing, etc.)
A third party will see if your paper policy is effective. A policy without a control is an exercise in writing and awareness.

I am sure there are more but my ADHD has kicked in and I lost interest.

Most importantly, remember that threat and attack vectors change rapidly. You passed your audit today, you got red teamed and remediated every single finding; good job but remember what the attacker could not break yesterday they can today. Information security is a never-ending profession and requires constant vigilance and dedication. Make sure you (and/or your team) are constantly learning. Stay on top of new threats and attacks by listening to the security researchers out there. If you and your people are behind, get some training and/or hire some consultants to get you up to speed. The only thing that will make you secure is you and your team.


Interesting Acquisition Trends

Let's take a look at some of the mergers, acquisitions, and takeovers that have taken place recently.I no particular order, here are the big ones that come to mind.

Intel snags McAfee - Don't forget that McAfee had also been buying up IDS, Firewall, and DLP solutions prior to this.

HP acquires ArcSight - ArcSight is a small company but regarded as best of breed in what they do.

HP acquires TippingPoint - Also known as 3Com, anyone remember them? Tipping Point is regarded by some as a best-of-breed IPS.

Dell grabs SecureWorks - Very interesting move for Dell.

I am sure there are more of these but these all stuck out as companies which want to be able to provide, now or sometime in the future, some sort of complete solution for their customers. This business model will be interesting to watch. Will the people who spend the money prefer one solution "silver bullet" or will they see this as all their eggs in one basket? What happens to people who want a Dell data center with Tipping Point IPS and/or ArcSight SIEM? This also blurs the lines between competition and interoperability.