Vulnerabilities and Exploits Are Mindless

Jofny's comment on my post Unify Against Threats asked the following:So, Richard, I'm curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats?If there are people like that, they really need to be fired.This comment was on my mind when I read the story FBI: US Business and Government are Targets of Cyber Theft in the latest SANS NewsBites:Assistant Director in charge of the US FBI's...

Read More

Unify Against Threats

At my keynote at the 2008 SANS Forensics and IR Summit I emphasized the need for a change in thinking among security practitioners. To often security and IT groups have trouble relating to other stakeholders in an organization because we focus on vulnerabilities. Vulnerabilities are inherently technical, and they mean nothing to others who might also care about security risks, like human resources, physical security, audit staff, legal staff, management,...

Read More

Trying Secunia Vulnerability Scanning

One feature which most Unix systems possess, and that most Windows systems lack, is a native means to manage non-base applications. If I install packages through apt-get or a similar mechanism on Ubuntu, the package manager notifies me when an update is needed and it's easy for me to install them. Windows does not natively offer this function, so third party solutions must be installed.I had heard about Secunia's vulnerability scanning offerings,...

Read More

Review of OSSEC HIDS Guide Posted

Amazon.com just posted my five star review of OSSEC HIDS Guide. From the review:I'm surprised no one has offered serious commentary on the only book dedicated to OSSEC, an incredible open source host-based intrusion detection system. I first tried OSSEC in early 2007 and wrote in my blog: "OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity." Stephen Northcutt of SANS...

Read More

Comment on New Amazon Reviewer Ranking System

I just happened to notice a change to my Amazon.com reviews page. If you look at the image on the left, you'll see two numbers: "New Reviewer Rank: 481" and "Classic Reviewer Rank: 434". I found the following explanation:You may have noticed that we've recently changed the way top reviewers are ranked. As we've grown our selection at Amazon over the years, more and more customers have come to share their experiences with a wide variety of products....

Read More

Security Event Correlation: Looking Back, Part 3

I'm back with another look at security event correlation. This time it's a June 2008 review of SIEM technology by Greg Shipley titled SIEM tools come up short. The majority of the article talk about non-correlation issues, but I found this section relevant to my ongoing analysis:"Correlation" has long been the buzzword used around event reduction, and all of the products we tested contained a correlation engine of some sort. The engines vary in...

Read More

Security Event Correlation: Looking Back, Part 2

In my last post Security Event Correlation: Looking Back, Part 1 I discussed a story from November 2000 about security event correlation. I'd like to now look at Intrusion Detection FAQ: What is the Role of Security Event Correlation in Intrusion Detection? by Steven Drew, hosted by SANS. A look at the Internet Archive shows this article present as of August 2003, so we'll use that to date it.[A]s pointed out by Steven Northcutt of SANS, deploying...

Read More

Security Event Correlation: Looking Back, Part 1

I've been thinking about the term "correlation" recently. I decided to take a look back to determine just what this term was supposed to mean when it first appeared on the security scene.I found Thinking about Security Monitoring and Event Correlation by Billy Smith of LURHQ, written in November 2000. He wrote:Security device logging can be extensive and difficult to interpret... Along with lack of time and vendor independent tools, false positives...

Read More

Thoughts on Security Engineering, 2nd Ed

One of my favorite all-time security books is Security Engineering by Prof Ross Anderson, which I read and reviewed in 2002. Earlier this year Wiley published Security Engineering, 2nd Ed. The first edition was a 612 page soft cover; the second edition is a massive 1040 page hard cover. To learn more about the new edition, I recommend visiting Ross' book page. This title should be included in every academic security program. Cambridge University...

Read More

Security Book Publishing Woes

Practical UNIX and Internet Security, 2nd Ed (pub Apr 96) by Simson Garfinkel and Gene Spafford was the first computer security book I ever read. I bought it in late 1997 after hearing about it in a "UNIX and Solaris Fundamentals" class I took while on temporary assignment to JAC Molesworth. Although I never formally listed it in my Amazon.com reviews, I did list it first in my Favorite 10 Books of the Last 10 years in 2007.Since reading that book,...

Read More

Review of Applied Security Visualization Posted

Amazon.com just posted my five star review of Applied Security Visualization by Raffy Marty. From the review:Last year I rated Greg Conti's Security Data Visualization as a five star book. I said that five star books 1) change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference; 2) have few or no technical errors; 3) make the material actionable; 4) include current research...

Read More

Windows Syslog Agents Plus Splunk

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist.Deploy Splunk in forwarding mode on the Windows system.Deploy a Syslog agent on the Windows system.Deploy OSSEC on the Windows system and sending OSSEC output to Splunk.Deploy Windows Log Parser to send events via Syslog on a periodic basis.Retrieve Windows Event Logs periodically using WMIC.Retrieve Windows Event Logs using another application, like LogLogic...

Read More

CWSandbox Offers Pcaps

Thanks to Thorsten Holz for pointing out that the latest online CWSandbox provides network traffic in Libpcap format for recently submitted malware samples. I decided to give this feature a try, so I searched the Spam folder for one of my Gmail accounts. I found a suitable "Watch yourserlf in this video man)" email from 10 hours ago and followed the link. I was quickly reminded by Firefox 3 that visiting this site was a Bad Idea.It took me a little...

Read More

What To Do on Windows

Often when I teach classes where students attain shell access to a Windows target, students ask "now what?" I found the blog post Command-Line Kung Fu by SynJunkie to be a great overview of common tasks using tools available within cmd.exe. It's nothing new, but I thought the author did a good job outlining the options and showing what they look like in his l...

Read More

Trying Firefox with CMU Perspectives

The October issue of Information Security Magazine brought CMU's Perspectives Firefox plug-in to my attention. By now most of us are annoyed when we visit a Web site like OpenRCE.org that presents a self-signed SSL certification. Assuming we trust the site, we manually add an exception and waste a few seconds of our lives. I probably wouldn't follow this process for my online bank, but for a site like OpenRCE.org it seems like overkill. Leveraging...

Read More

Thoughts on 2008 SANS Forensics and IR Summit

Last week I attended at spoke at the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. The last SANS event I attended was the 2006 SANS Log Management Summit. I found this IR and forensics event much more valuable, and I'll share a few key points from several of the talks.Steve Shirley from the DoD Cyber Crime Center (DC3) said "Security dollars are not fun dollars." In other words, what CIO/CTO wants...

Read More

Hop-by-Hop Encryption: Needed?

Mike Fratto's article New Protocols Secure Layer 2 caught my attention:[T]wo protocols -- IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV -- will help secure Layer 2 traffic on the wire... 802.1AE ensures the integrity and privacy of data between peers at Layer 2. The enhancements in 802.1X-REV automate the authentication and key management requirements for 802.1AE.802.1AE protects data...

Read More

BGPMon.net Watches BGP Announcements for Free

Thanks to Jeremy Stretch's blog for pointing me to BGPMon.net, a free route monitoring service. This looks like a bare bones, free alternative to Renesys, my favorite commercial vendor in this space. I created an account at BGPMon.net and decided to watch for route advertisements for Autonomous System (AS) 80, which corresponds to the 3.0.0.0/8 network my company operates. The idea is that if anyone decides to advertise more specific routes for...

Read More

DHS to Fund Open Source Next Generation IDS/IPS

I checked in with the #emerging-threats IRC channel a few minutes ago and saw a link to www.openinfosecfoundation.org:October 16, 2008 (LAFAYETTE, Ind.) – The Open Information Security Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its formation, made possible by a grant from the U.S. Department of Homeland Security (DHS). The OISF has been chartered and funded by DHS to build a next-generation intrusion detection and prevention...

Read More

Traffic Talk 2 Posted

My second edition of Traffic Talk, titled Using Wireshark and Tshark display filters for troubleshooting, has been posted. From the article:Welcome to the second installment of Traffic Talk, a regular SearchNetworkingChannel.com series for network solution providers and consultants who troubleshoot business networks. In these articles we examine a variety of open source network analysis tools. In this edition we explore Wireshark and Tshark display...

Read More

Whither Air Force Cyber?

I was disappointed to read in Air Force senior leaders take up key decisions that Air Force Cyber Command is effectively dead:Leadership also decided to establish a Numbered Air Force for cyber operations within Air Force Space Command and discussed how the Air Force will continue to develop capabilities in this new domain and train personnel to execute this new mission. Apparently that unit will be 24th Air Force. Since the Numbered Air Force is...

Read More

FCW on Comprehensive National Cybersecurity Initiative

Brian Robinson's FCW article Unlocking the national cybersecurity initiative caught my attention. I found these excerpts interesting, although my late 2007 article Feds Plan to Reduce, Then Monitor discussed the same issues.The cybersecurity initiative launched by the Bush administration earlier this year remains largely cloaked in secrecy, but it’s already clear that it could have a major and far-reaching effect on government IT operations in...

Read More

Insider Threat Prediction Materializing

As we approach the end of the year, I'm looking to see if my Predictions for 2008 are materializing. My third prediction was:Expect increased awareness of external threats and less emphasis on insider threats.Accordingly, I was happy to see the story Targeted Attacks, DNS Issues Hit Home in New CSI Report contain the following subtitle:Insider abuse shows marked drop-off in 13th annual survey by Computer Security InstituteHo ho, what does that mean?While...

Read More

Attacks Upon Integrity

Earlier this year I wrote First They Came for Bandwidth, where I described the motivation behind different sorts of attacks in an historical context:First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion. Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late...

Read More