Wiping hard drives to stop wasting money

I saw this post today and can't believe this myth is still out there. Here's the scoop, go ask an IT person "How many times do I have to wipe a drive to completely erase it?" You will hear many answers and the most popular will likely be 3 times, 7 times, it can never be erased. Let's clear it up. If you make one pass correctly your mission is accomplished. This is how magnetic media works, feel free to test it yourself with the forensic/data recovery tool of choice. How does wasting money come into play?

I was once part of a project testing multiple web proxy vendors. A work policy stated that hard drives could not be returned to vendors and all drives had to be degaussed then shredded. This was for non-classified material that would be tough to even call sensitive. One vendor was set to charge around 16k for the drives in their product. In order to avoid this charge I began asking if there was a waiver process, how it worked, and if the policy was in-house or from a more "legal" entity. Sure enough, there was a waiver process. I filled out the (un) necessary forms and also attempted to explain why this may not be required in the future in order to save my company and the vendor money. No amount of demonstration or discussion seemed to convince people that seven passes, degaussing, and shredding were the only way to maybe prevent our data from falling into the hands of the empire. This was a two-week process with regular chastisement received by me for even attempting to return a drive. At the culmination of the project I erased the drives manually using dd and then handed them to our other forensic examiner to ensure he could not retrieve data. The data was gone, the drives returned and we managed to save thousands of dollars. As I gave the final status report one of the managers stated "We probably could have saved $16,000 if we had just followed the policy." Feeling offended by that I retorted "If the policy is technically inaccurate or wrong, we should fix the policy because it makes us look stupid." Not my most humble moment.

As far as I know that company continues to destroy drives in the name of security that could be recycled, reused, or returned . This effort likely costs millions of dollars annually and provides landfills with many tiny shards of metal that will never break down. Policies are good things when they are accurate.


Acceptable Risk (What's it going to take for security to be important?)

It was an interesting weekend in the cyber-security world to say the least. Some guy who goes by"srblche srblchez" began selling .gov, .edu, and .mil websites or more accurately control to those sites. For attribution I am pulling information from multiple sources such as:
Rafal Los' interview with the dude:

Brian Krebs blog:

Martin Bos (purehate_) found the real site here:

Some of the , excellent, points from information security pros are the hair-pullingingly frustrating "I told you so when I tested your environment." I think every pen tester and blue teamer out there has felt this at one point or another. Several talks I saw online last year focused on the fact that we haven't adequately communicated to the decision makers how security impacts their mission or their bottom line. This is completely true. I have seen pen-testing reports that are purely technical and not readable by management executives. Rafal asked "What will it take?" Based on the way we teach economics, and the gazillions of people getting their MBA, it will take a direct tie to putting dollars into the company's pocket. CFO/CEOs want you to be able to answer this question:
"If I invest dollars how much will I earn?" or "If I don't address vulnerability how many dollars will I lose?"

These are not easy questions to answer and a penetration test only brings part of the answer. The larger answer comes from business case analysis and understanding a failure scenario surrounding the vulnerabilities discovered. Until security equals dollars in a pocket then it will be tough. We will continue to fight the "acceptable risk"

This line of thinking comes from my experiences attempting to align security with business mission. I once wrote a five year strategic plan for an organization aligning the mission of security with the mission of the organization and it was completely disregarded. The point is not that my work was not used, the point is that it didn't even generate discussion. No talk, no action. In fact they put someone in charge of security that clearly stated there were almost no problems with their current mode of operations despite test results to the contrary. Even moving beyond that, the group had little funding despite security being "important" to this organization. Sadly, this was not a unique situation. The companies I have seen do security the best were those that know their reputation is on the line and understand that a breach would lose them customers(dollars). Sadly, this would exclude the types of sites that were compromised.

Here are the points for people in charge:

  1. Hire the right people - People who are seeking to learn perpetually and understand that security yesterday is being pwned tomorrow. A project manager or policy maker should not be making technical decisions they do not understand.
  2. Fund these people - Security should be 15-20 % of your IT budget every year. If you haven't seen an equipment upgrade or product requisition for a few years, something is wrong.
  3. Yesterday's technology (firewalling, IPS, DMZ, A/V) needs help - Anti-virus programs are necessary but don't rely on them If you think updated definitions protect you, look up Shikata Ga Nai.
  4. The "help" is your people - Talented infosec people are your only defense. No device you buy is a silver bullet and salespeople will say anything to get a sale. If you don't believe me get a DLP solution and winzip and see for yourself
  5. Test your environment with real scenarios - Don't prescribe the environment to the testing entity. Make it as real as possible or you will never know where you actually stand and be lulled into a false sense of security.
  6. Policy without a technical control is faith - Don't just tell people what not to do, actually prevent it. "We don't allow portable media." is a lot different than "We really hope people aren't using portable media and we will fire them if they do."
  7. Policies and controls must line up - Don't tell your people to have and 8 character password with mixed case and special characters then make them have a password with six characters, single case, and no special characters. (yeah, I have seen this)
  8. Security policies should be written by security people, not HR - If you don't understand the policy, more specifically how to break it, you probably shouldn't write it.
  9. There are more but I 'm tired.


Stuxnet is a US-Israeli joint operation

The NY Times published an article which does not cite named sources. This is normal and acceptable in journalism, I won't beat that horse. I would like to point out that it is all speculation at this point.

The buzz about this started over the weekend and the “confidential sources” part is what’s keeping it interesting. It is worth noting that the source could be Iran itself. The clues in the code, dates and “Myrtus”, could just as easily be a smokescreen. Some speculate those clues were planted to throw investigators from the actual trail. Here’s Iran saying we did it:
Interesting points I observed about the video.
1. No Iranian is shown, scientist or not, in footage with the reactor
2. All signs on walls and doors are in English.
3. Everything in Persian or Farsi or showing Islamic symbols is just paper taped to the walls

"Cyber Warfare"

This term has been thrown around a little and yesterday the Organization for Economic Cooperation and Development (OECD) released a report saying that "true cyberwar is unlikely." Here's an excerpt that was sent to me for comment:

“There is nothing new in what the hacktivists are doing,” Mr. Sommer said. “It really should not be exaggerated. It’s really more like the kind of thing Greenpeace does.”

“We have to get used to the fact that popular protests, as well as skirmishes between nations, are going to have a cyber dimension,” he added. “Some people say cyberespionage is just a few clicks away from cyberwar. It’s not; it’s just another way of spying.”

Report challenges cyberwar doomsday scenarios
New York Times January 17, 2011

A new study commissioned by the Organization for Economic Cooperation and Development says a true cyberwar is unlikely, and that -- unlike scenarios painted by many recent books and articles on the topic -- advanced countries could recover from such a conflict within days, even hours. "You have this sort of competition between writers to say, 'I have a scarier story than you do,'" said co-author Peter Sommer of the London School of Economics.

I agree that sometimes infosec folks can get into the habit of telling the scarier story. If that scarier story is true though shouldn't we take heed? I responded with the following:

This is an interesting take and really just seems to be a language issue. I suppose it all depends on how you define "war" and "warfare." Mr. Sommer's quote "... skirmishes between nations, are going to have a cyber dimension,” is war in some people's eyes. Also, if it's "..just another way of spying" do wars ever start because of more traditional espionage? I also don't really understand the Greenpeace reference since they don't really attempt government-level espionage. As for the statement that "... advanced countries could recover from such a conflict within days, even hours." That's a great point, cyber-based attack would only be devastating if followed by a tactical operational attack to take advantage of the service disruption. The ability to disrupt, or intercept, communications to and from your target would give you a significant advantage. This ability has brought about encrypted communications by default for the military while critical infrastructure has not yet seen the need for this. One of the issues we discuss with our customers when penetration testing is to assess the impact of the operational decisions made based on information received from a field-connected device. Can I get a human, or machine, to initiate an action if I provide false data?

In 2008 Russia attacked Georgia and used cyber attacks as part of their campaign. I wonder if that would be considered cyber warfare by the authors or just a skirmish? Then, to be fair, I wonder how Georgia would define it.

I believe cyber "war" is a reality and will be used as a component of real large-scale attacks in the future. What do you think?


We lost a good man yesterday

The attached song is one I play when my heart is grieving but my spirit is rejoicing. When I saw Mercy Me perform it the first time they shared the heart-wrenching story of how it had been written and it seems appropriate today.
Jason Kennard died last night in a car accident. When I was in the praise band at The Church at Sterchi Hills, his wife Lisa would always ask for prayer that the Lord would convict Jason and he would be saved. During this time, we built a new building and had a week-long revival to celebrate the opening. During the revival Jason came to hear one of the messages and received Christ as his savior. It was one of the greatest moments God has allowed me to witness. Shortly after this, Lisa was in Florida and Jason "dropped dead" of a massive stroke while home alone with his young children. I remember clearly sitting in the ER waiting room at St. Mary's hospital waiting for Lisa to return home from Florida so that Jason's life support could be removed. While we waited, and prayed, Jason showed some level of responsiveness which then prevents life support from being cancelled. Also during that time, one of Jason's friends contacted Lisa and told her that God had told her that Jason would be raised up from this because the Lord had plans for him. She quoted Jeremiah 29:11 "..For I know the plans I have for you,” declares the LORD, “plans to prosper you and not to harm you, plans to give you hope and a future."(NIV) I had the wonderful opportunity to spend every afternoon for the next two weeks watching Jason be healed by the hand of God. Each day he became more responsive and gave everyone a visualization of faith. Jason beacame a faithful servant of the Lord, leading his family and being the man God had called him to be. He was a walking miracle and one of the examples God showed me of walking through the fire of life's trials and emerging as a better man on the other side.
Please keep Lisa, Zack, Whitney, and Seth in your prayers. We know that Jason has been raised up by the Father and healed but our earthly hearts still hurt for the man we will be missing.
Grace and Peace to you.


Compliance != Security

We have so many compliance regulations and auditors now that information security should be getting exponentially better every year. PCI just came out with a new standard, HIPAA received an overhaul recently, and who knows how many other NIST standards are being re-written and re-worked. This is not the case; we see compliant entities are hacked all the time. Worse, they are hacked with what seems like the same old techniques. Disclaimer: I know some talented auditors and they understand where the pitfalls and shortcomings are, do not blame the auditors.

I understand, and sympathize, with the fact that some you have to be compliant to some organization. I also believe that compliance was (is) a good idea and that it means well. What appears to happen is that compliance becomes something you can purchase. We also believe that a compliance-based certification makes our auditor an expert. Business owners want to know "How secure can I be for n dollars?" "How much will it cost to be secure in area x?" For some reason we (security dudes) have not adequately conveyed, (or maybe we have) that this is not a static black and white area. Threat and attack vectors shift and change from day to day, hour to hour, and sometimes form one minute to the next. Is there an effective way to combat this without bankrupting your organization? Can this be done without implementing a police state on your users? Yes, it can. Can you be "hacker proof,” ever relax, and do things the same way you always have? No, you cannot. Working together with the right information security personnel, policies, procedures, and technical controls, you can bring balance to the force.

When preparing for an audit, remember that an auditor can be used to enhance your security posture. One organization I have seen in the past viewed an auditor as an enemy and spent weeks planning how to lie and hide things. It would have been less expense and effort to be compliant. The auditor you choose, or is chosen for you, can also determine your security posture. An auditor with experience as a penetration tester is likely to ask better questions when using the unfortunate checklists. An auditor who is only trained to observe a checklist may view things differently. For example, firewalls are typically required by compliance mechanisms. An auditor thinking like a hacker is used to overcoming and bypassing firewalls and may choose to audit your rule set or assist with configuration changes. You may have a best-of-breed monster firewall but if you have 700 exceptions then you may be leaking data. Web proxies are another good example. You may have every user flowing through a proxy to prevent abuse, drive-by downloads, and policy enforcement. An auditor with a penetration testing background may think to ask how many SSH tunnels (users possibly bypassing the proxy) are exiting your network where a standard auditor may not think of this. Remember, not all CISA, CISM, and QSAs are created equally. If you need an auditor, send me an email I know several excellent folks that are also active pen testers.

Next, make sure you do prepare for compliance, or certification & accreditation audits. How you prepare is critical. While you should make sure you are prepared for the auditor's checklist, do not stop there. Do not assume an attacker will be using that checklist or that the creator of that checklist thinks like an attacker. As a best practice, have an independent third party red team your environment. Penetration testing from multiple perspectives can provide excellent insight concerning your security posture. Being tested externally and internally from black\white\crystal box perspectives will provide you with a comprehensive understanding of where you stand. When I say third party I mean completely not affiliated with your organization. If you are a govt agency, I am not referring to your agency's IG or internal audit. Hire people who will think like a bad guy but are not part of your blue team efforts. There are several reasons for not using your own people; I will list a few here:

Your people are familiar with your culture and environment. While this can be a good thing, it can skew results by overlooking points of failure or vulnerability.
Pride may come into play. How forthcoming will your people be in pointing out issues in a program they have spent years "perfecting."
A third party does not stand to lose (or gain) from your organization's internal culture. (Performance reviews, bonuses, profit sharing, etc.)
A third party will see if your paper policy is effective. A policy without a control is an exercise in writing and awareness.

I am sure there are more but my ADHD has kicked in and I lost interest.

Most importantly, remember that threat and attack vectors change rapidly. You passed your audit today, you got red teamed and remediated every single finding; good job but remember what the attacker could not break yesterday they can today. Information security is a never-ending profession and requires constant vigilance and dedication. Make sure you (and/or your team) are constantly learning. Stay on top of new threats and attacks by listening to the security researchers out there. If you and your people are behind, get some training and/or hire some consultants to get you up to speed. The only thing that will make you secure is you and your team.


Interesting Acquisition Trends

Let's take a look at some of the mergers, acquisitions, and takeovers that have taken place recently.I no particular order, here are the big ones that come to mind.

Intel snags McAfee - Don't forget that McAfee had also been buying up IDS, Firewall, and DLP solutions prior to this.

HP acquires ArcSight - ArcSight is a small company but regarded as best of breed in what they do.

HP acquires TippingPoint - Also known as 3Com, anyone remember them? Tipping Point is regarded by some as a best-of-breed IPS.

Dell grabs SecureWorks - Very interesting move for Dell.

I am sure there are more of these but these all stuck out as companies which want to be able to provide, now or sometime in the future, some sort of complete solution for their customers. This business model will be interesting to watch. Will the people who spend the money prefer one solution "silver bullet" or will they see this as all their eggs in one basket? What happens to people who want a Dell data center with Tipping Point IPS and/or ArcSight SIEM? This also blurs the lines between competition and interoperability.