Wanted: Incident Handler with Mentoring Skills

Previously I posted Wanted: Incident Handler with Reverse Engineering/Malware Analysis Skills. That article noted our GE Careers job posting (843369). We received several great candidates with reverse engineering and malware skills, but none in Cincinnati. Therefore, I am shuffling the positions a bit. The RE/malware person does not need to reside in Cincinnati, but now I need a different incident handler definitely located in Cincinnati.The...

Read More

Snort Report 19 Posted

My 19th Snort Report titled Using SnortSP and Snort 2.8.2 has been posted. From the article:Solution provider takeaway: Solution providers will learn how to set up two Snort 3.0 beta components -- the Snort Security Platform (SnortSP) and the Snort 2.8.2 detection engine on the SnortSP.In the last Snort Report, I discussed the architectural basics of Snort 3.0. The new Snort system consists of the Snort Security Platform (SnortSP) plus an assortment...

Read More

Why Blog?

Recently a group of managers at work asked me to explain why I blog. This is a very good question, because the answer might not be intuitively obvious. Perhaps by sharing my rationale here, I might encourage others to blog as well.Blogging organizes thoughts. Recently I nodded in agreement when I heard a prolific author explain why he writes. He said the primary purpose for writing his latest book was to organize his thoughts on a certain topic....

Read More

Is Experience the Only Teacher in Security?

Another reader asked me this question, so I thought I might share it with you:I'm really struggling with... how to communicate risk and adequate controls to the business managers at my employer... To put it bluntly, this is the first time the company has really looked at it [security] at all and they don't really want to deal with it. They have to because of the business we are in though... So while I've got a blazing good example of what doesn't...

Read More

Security vs IT at Computerworld

A long-time blog reader pointed me towards this Computerworld article Making enemies, but needing allies. I must absolutely emphasize that this story is not me, nor does it reflect issues I have. However, my blog reader asked me specifically to ask if any of you share this problem, and if yes, how do you handle it? Our fledgling security organization is starting to run into some significant relationship challenges. As we're beginning to build our...

Read More

VizSec and RAID Wrap-Up

Last week I attended VizSec 2008 and RAID 2008. I'd like to share a few thoughts about each event.I applaud the conference organizers for scheduling these conferences in the same city, back-to-back. That decision undoubtedly improved attendance and helped justify my trip. Thank you to John Goodall for inviting me to join the VizSec program committee.I enjoyed the VizSec keynote by Treemap inventor Ben Shneiderman. I liked attending a non-security...

Read More

CERIAS to CAE: We're Not a Lemon

Every so often we discuss topics like starting out in digital security on this blog. Formal education is one method, with one approach being a Centers of Academic Excellence in Information Assurance Education. This program reports "93 Centers across 37 states and the District of Columbia." At first glance it is tough to see a downside to this program.This is why I was surprised to read Centers of Academic... Adequacy, a recent post by Dr Gene...

Read More

Cost of Intellectual Property Theft

I liked the following excerpt from Tim Wilson's story Experts: US Is Not Prepared to Handle Cyber Attacks:If the bad guys launched a coordinated cyber attack on the United States tomorrow, neither government nor industry would be able to stop it, experts warned legislators yesterday.At a hearing held by the House Permanent Select Committee on Intelligence, cyber defense experts testified that government agencies are insufficiently coordinated to...

Read More

On Breakership

Last week Mark Curphey asked Are You a Builder or a Breaker. Even today at RAID 2008, the issue of learning or teaching offensive techniques ("breakership") was mentioned. I addressed the same issue a few months ago in Response to Is Vulnerability Research Ethical. Mark channels the building architecture theme by mentioning Frank Lloyd-Wright. I recommend reading my previous post for comprehensive thoughts, but I'd like to add one other component....

Read More

Wanted: Incident Handler with Reverse Engineering/Malware Analysis Skills

I am looking for an incident handler with reverse engineering and malware analysis skills to join a new security organization we are building within General Electric. We are hiring several people, so the generic job description appears on our GE Careers site under job number 843369. This is a GE employee position with great benefits and career prospects.For this specific role, I am looking for the following qualities:Strong incident handling skills....

Read More

Bejtlich to Judge NYU-Poly CSAW Forensics Challenge

Dr. Nasir Memon was kind enough to ask me to be a judge at the Forensics Challenge component of the 5th annual Cyber Security Awareness Week, held by the Information Systems and Internet Security Lab within the Polytechnic Institute of New York University. NYU-Poly's ISIS lab is an NSF-funded lab and a NSA designated Center of Excellence that provides focus for multidisciplinary research and hands-on education in emerging areas of information security.Anyone...

Read More

Internal Security Staff Matters

I read Gunter Ollmann's post in the IBM ISS blog with interest today. Gunter is "Director Security Strategy, IBM Internet Security Systems," so he is undoubtedly pro-outsourcing. Here is his argument:[S]ecurity doesn’t come cheap. While individual security technologies get cheaper as they commoditize, the constant influx of new threats drives the need for new classes of protection and new locations to deploy them...If you were to examine a typical...

Read More

The Analyzer Charged Again

I read a name I hadn't seen in years today when I read Kim Zetter's story Israeli Hacker Known as "The Analyzer" Suspected of Hacking Again:Canadian authorities have announced the arrest of a 29-year-old Israeli named Ehud Tenenbaum whom they believe is the notorious hacker known as "The Analyzer" who, as a teenager in 1998, hacked into unclassified computer systems belonging to NASA, the Pentagon, the Israeli parliament and others.Tenenbaum and...

Read More

Bejtlich Keynote at 1st ACM Workshop on Network Data Anonymization

Brian Trammell and Bill Yurcik were kind enough to ask me to deliver the keynote at the 1st ACM Workshop on Network Data Anonymization (NDA 2008). The one day event takes place 31 October 2008 at George Mason University in northern VA. My talk will discuss the trials and tribulations of OpenPacket.org, and changes planned for the proje...

Read More

Request for Feedback on Deny by Default

A friend of mine is working on digital defense strategies at work. He is interested in your commentary and any relevant experiences you can share. He is moving from a "deny bad, allow everything else" policy to an "allow good, deny everything else" policy. By policy I mean a general approach to most if not all defensive strategies. On the network, define which machines should communicate, and deny everything else. On the host, define what applications...

Read More

Bejtlich Keynote at SANS Forensics Summit

Rob Lee was kind enough to ask me to deliver the keynote on the second day of the SANS WhatWorks in Incident Response and Forensic Solutions Summit. The two-day event takes place 13-14 October 2008 at Caesars Palace in Las Vegas, NV. The conference agenda looks great, with training classes available before and after the summit. The tuition fee is $1,595 if paid by 10 Sep or $1,845 thereafter. I am very much looking forward to attending this event.Rob...

Read More

Microsoft Network Monitor 3.2 Beta for Tracking Traffic Origination

I'm always looking for a tool to map the traffic to or from a host with the process receiving or sending it. Today I noticed that Microsoft Network Monitor offers a beta that appears to have the functionality, according to this Netmon blog post. I visited the Netmon site on Microsoft Connect (registration required) to download beta 3.2. I ran two live capture tests to see what Netmon 3.2 beta would report.As you can see in this first screen capture,...

Read More

Schneier Agrees: Security ROI is "Mostly Bunk"

I know a lot more people pay attention to Bruce Schneier than they do to me, so I was thrilled to read his story on Security ROI (also in CSO Magazine):Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular...

Read More

Enterprise Users Should Not Be Records Managers

I found J. Timothy Sprehe's FCW article Seeking the records decider interesting. The whole article is worth reading, and it's short, but I'll post some excerpts to get the point across:Like everyone else — including NARA — GAO assumes and accepts that employees will decide whether e-mail messages are federal records. It is fundamentally wrong to lodge decision-making for records management at the desktop PC level. It means the agency has as many...

Read More

Standards for System Administration

My favorite article from the August ;login: magazine is online: "Standard Deviations" of the Average System Administrator (.pdf) by Alva Couch. I'd like to highlight some excerpts:System administrators have a surprising amount in common with electricians. Both professions require intensive training. Both professions are plagued by amateurs who believe (erroneously) that they can do a good job as a professional. Both professions are based upon a...

Read More

NetworkMiner

Thanks to the great Toolsmith article by Russ McRee, I decided to try Eric Hjelmvik's NetworkMiner, a Windows-based network forensic tool. You might think that Wireshark is the only tool you need for network forensics, but I maintain that Wireshark (while a great tool) is best used for packet-by-packet analysis. 95% of network forensics investigations are mostly concerned with the application layer data passed during a transaction, not the value...

Read More