I Am Not Anti-Log

Ringkasan ini tidak tersedia. Harap klik di sini untuk melihat posting...

Read More

NoVA Sec Meeting 1900 Mon 29 Jan 07 at Getronics

Since this blog has a higher readership than the NoVA Sec blog, I want to reiterate:The next NoVA Sec meeting will take place 1900 (7 pm) Monday 29 January 2007 at Getronics Red Siren. Wesley Shields will discuss FreeBSD jai...

Read More

The Self-Defeating Network

At the risk of adding yet more fuel to the fire, I'd like to share a few more thoughts on NSM. Although the title of this post is The Self-Defeating Network (SdN), I don't intend it to be a slam of Cisco's Self-Defending Network (SDN). Rather, the post's title demonstrates a probably lame attempt at branding an otherwise potentially boring issue.Thus far I've tried to explain NSM, and the related concept of Defensible Network Architecture (originated in my Tao book, expanded in Extrusion), from the view of best practices. I've tried to say here's...

Read More

Is It NSM If...

Frequently I'm asked about the data sources I cite as being necessary for Network Security Monitoring, namely statistical data, session data, full content data, and alert data. Sometimes people ask me "Is it NSM if I'm not collecting full content?" or "Where's the statistical data in Sguil? Without it, is Sguil a NSM tool?" In this post I'd like to address this point and answer a question posted as a comment Joe left on my post My Investigative...

Read More

Wireshark Display Filters and SSL

I mentioned the power of Wireshark display filters when analyzing 802.11 last year. Now I read Ephemeral Diffie Hellman support - NOT ! by the Unsniff guys and they tell me that they cannot decode SSL traffic which uses the ephemeral Diffie-Hellman cipher suite. I wonder what that looks like in traffic? Thanks to Wireshark display filters, I can find a suitable packet. Here's a matching packet. You could use syntax like this with Tshark:tshark...

Read More

What Do I Want

If you've read this blog for a while, or even if you've just been following it the last few months, you might be saying "Fine Bejtlich, we get it. So what do you want?" The answer is simple: I want NSM-centric techniques and tools to be accepted as best practices for digital security. I don't say this to sell products. I say this because it's the best chance we have of figuring out what's happening in our enterprise.NSM means deploying sensors...

Read More

TaoSecurity Enterprise Trust Pyramid

My Monitor Your Routers post touched on the idea of trust. I'd like to talk about that for a moment, from the perspective of an operational security person. I'm not qualified to address trust in the same way an academic might, especially since trust is one of the core ideas of digital security. Trust can be described in extreme mathematical detail and in some cases even proven. I don't know how to do that. Instead, I'm going to describe how...

Read More

My Investigative Process Using NSM

I know some of you believe that my Network Security Monitoring (NSM) methodology works and is the best option available for independent, self-reliant, network-centric collection, analysis, and escalation of security events. Some of you think NSM is impossible, a waste of time, irrelevant, whatever. I thought I would offer one introductory case based on live data from my cable line demonstrating my investigative process. Maybe after seeing how...

Read More

Thoughts on December 2006 USENIX Login

I had the opportunity to "hang in the sky" (to use John Denver's phrase) again this week. While flying I read one of the best issues of USENIX ;login: I've seen. The December 2006 issue featured these noteworthy articles, most of which aren't online for everyone. USENIX members have the printed copy or can access the .pdf now. Nonmembers have to wait a year or attend the next USENIX conference, where free copies are provided.My favorite article...

Read More

Snort Report 2 Posted

My second Snort Report has been posted. In this edition I talk about upgrading from an older version to 2.6.1.2, and then I begin discussing the snort.conf file. I recommend reading the first Snort Report so you can follow along with my methodology. In the third article (to be posted next month) I describe the sorts of activity you can detect without using Snort rules or dynamic preprocessors. The idea behind this series of articles is to develop...

Read More

Monitor Your Routers

Today I read this new Cisco advisory containing these words:Cisco routers and switches running Cisco IOS® or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet...

Read More

Review of The Pragmatic CSO

While waiting in the airport, and flying between Ottawa and Washington Dulles, I read a copy of Mike Rothman's new book The Pragmatic CSO. I was somewhat suspicious of some of the early reviews, since they appeared so quickly after the book was published. You can rest assured that I read the whole book -- and I really liked it.The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to...

Read More

Security Responsibilities

It's been several years since I had operational responsibility for a single organization's network security operations. As a consultant I find myself helping many different customers, but I maintain continuous monitoring operations for only a few. Sometimes I wonder what it would be like to step back into a serious security role at a single organization. Are any of you looking for someone with my background (.pdf)? If yes, please feel free to email taosecurity [at] gmail [dot] com. Thank y...

Read More

Latest Laptop Recommendations

It's been over a year since my last request for comments on a new laptop. I had a scare using my almost 7-year-old Thinkpad a20p today while teaching a private class. I wanted to run VMware Server using a VM configured to need 192 MB RAM. The laptop has 512 MB of physical RAM. When I started the VM, VMware Server complained it didn't have sufficient free RAM. Puzzled, I checked my Windows hardware properties and saw only 256 MB RAM reported! Oh oh. I guessed that maybe one of the two 256 MB RAM sticks in my laptop had been loosened on the...

Read More

FreeBSD VMware Interfaces

A site hosting news on FreeBSD 7.0 also included several great tips for FreeBSD under VMware. One tip talked about the lnc network interface standard under VMware.You can see lnc0 in this sample VM. Here's dmesg output:lnc0: <PCNet/PCI Ethernet adapter> port 0x1400-0x147f irq 18 at device 17.0 on pci0lnc0: Attaching PCNet/PCI Ethernet adapterlnc0: [GIANT-LOCKED]lnc0: Ethernet address: 00:0c:29:38:7d:ealnc0: if_start running deferred for Giantlnc0:...

Read More

FreeBSD News

I'd like to mention a few FreeBSD news items. First, FreeBSD 6.2 was released Monday. I am not rushing to install it but I plan to deploy it everywhere. I have a subscription to FreeBSDMall.com, so I don't need to download any .iso's at the moment. I plan to upgrade all existing FreeBSD 6.1 systems using Colin Percival's 6.1 to 6.2 binary upgrade script. I am particularly glad to see that Colin's freebsd-update utility is now part of the base...

Read More

Brief Response to Marty's Post

Marty Roesch was kind enough to respond to my recent posts on NSM. We shared a few thoughts in IRC just now, but I thought I would post a few brief ideas here.My primary concern is this: just because you can't collect full content, session, statistical, and alert data everywhere doesn't mean you should avoid collecting it anywhere. I may not have sensors on the sorts of network Marty describes (high bandwidth, core networks) but I have had (and have) sensors elsewhere that did (and do) support storing decent amounts of NSM data on commodity hardware...

Read More

Comments on ISSA Journal Article

It's been 2 1/2 years since my first book was published, although I've been writing and speaking about Network Security Monitoring (NSM) for at least five years. I'm starting to see other people cite my works, which is neat. It also means people are starting to criticize what I wrote, so I need to elaborate on some ideas. The December 2006 ISSA Journal includes an article by Robert Graham titled Detection Isn’t Optional: Monitoring-in-depth. (No, it's not the Robert Graham of Black Ice/ISS fame. This is a different person.)The implication...

Read More

Intel Premier IT Security Graphic

The image at left is from the first issue of an Intel marketing magazine called Premier IT. I like it because it shows many of the terms I try to describe in this blog, in relationship to each other. In English, the graphic says something like the following:Threats exploit vulnerabilities, thereby exposing assets to a loss of confidentiality/integrity/availability, causing business impact. I disagree that business impact is mitigated by controls....

Read More

Operational Traffic Intelligence System Woes

Recently I posted thoughts on Cisco's Self-Defending Network. Today I spent several hours on a Cisco Monitoring, Analysis and Response System (MARS) trying to make sense of the data for a client. I am disappointed to report that I did not find the experience very productive. This post tries to explain the major deficiencies I see in products like MARS. Note: I call this post Operational Traffic Intelligence System Woes because I want it to apply...

Read More

Certified Malware Removal Expert

I read the following in the latest SANS NewsBites (link will work shortly):Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills an dknowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.This must be the...

Read More

Thoughts on Cisco Self-Defending Network Book

I didn't exactly "read" Self-Defending Networks: The Next Generation of Network Security by Duane DeCapite. Therefore, I won't review the book at Amazon.com. I definitely didn't read a majority of the text, which is a personal requirement for a book review. However, I'd like to discuss the title here.The book has a ton of screen shots and is essentially a big marketing piece for Cisco's Self-Defending Network gear, which includes:Cisco Traffic...

Read More

The Revolution Will Be Monitored

I read the following in the latest SANS NewsBites:Revised Civil Procedure Rules Mean Companies Need to Retain More Digital Data (4 January 2007)The revised Federal Rules of Civil Procedure, which took effect on December 1, 2006, broaden the types of electronic information that organizations may be asked to produce in court during the discovery phase of a trial. The new types of digital information include voice mail systems, flash drives and IM archives. This will place a burden on organizations to retain the data in the event it is needed in a...

Read More

New Laser Printer

My old HP DeskJet 970cxi died, so I decided to finally buy a color laser printer. Owning a color laser printer has been sort of a Holy Grail for me. I owned a black-and-white laser printer in 1994, and I always thought the true day of personal desktop publishing would arrive with reasonably priced color laser printers. I bought a Lexmark C530dn at NewEgg.com for slightly more than $500 (when shipping is included). Since I bought the DeskJet several years ago for around $300, this new $500 printer seems the right price. There are cheaper color...

Read More

Many Intruders Remain Unpredictable

The second of the three security principles listed in my first book is:Many intruders are unpredictable. I think the new Adobe Acrobat Reader vulnerability demonstrates this perfectly. (I'm not calling Stefano Di Paola an intruder; anyone who uses his technique maliciously is an intruder, though.) Who would have thought to abuse a .pdf viewer in such a manner? Read more about the problem here. This event reminds me of soccer goal securi...

Read More

And Another Thing... More NSM Thoughts

My Hawke vs the Machine post elicited many comments, all of which I appreciate. I'd like to single out one set of comments for a formal reply here. These are by "DJB," which I highly doubt is Daniel J. Bernstein since the comment ends with "See you at the next ISSA meeting." (DJB lives in Illinois and I live in Virginia.)DJB writes:The topic is not alert-centric vs. NSM, or even passive vs. reactive. The real issue here is Return on Investment for security and Due Care. The cost and lack of common expertise of NSM is why it has not been fully...

Read More

Brothers in Risk

I write about risk, threat, and other security definitions fairly regularly. Lo and behold I just read a post by someone else who shares my approach. This is a must read. How did you react to the story?A second brother in risk is Gunnar Peterson, who writes in part:When security teams conflate threats and vulnerabilities, the result is confusion. Instead efforts dealing with threats... and vulnerabilities... should be separately optimized, besides both being part of "security"; they don't have that much in common.Oh bravo, especially the old...

Read More

Security in the Real World

I received the following from a student in one of my classes. He is asking for help dealing with security issues. He is trying to perform what he calls an "IDS/IPS policy review," which is a tuning exercise. I will apply some comments inline and some final thoughts at the end.If you recall, I was in one of your NSO classes last year. At the end of the day the only place I am able to use everything I learned is at home.This is an example of a security person knowing what should be done but unable to execute in the real world. This is a lesson...

Read More