Craig Balding Podcast on Cloud Security

I noticed Craig Balding's post Podcast: Cloud Computing, Software Development, Testing and Security, so I just listened to all three segments. Readers of this blog may choose to concentrate on the third segment, Cloud computing's effect on application security. Craig is a thought leader on cloud security so I enjoy hearing his ideas.Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for...

Read More

Splunk on FreeBSD 7.0

Although there is not a version of Splunk compiled natively for FreeBSD 7.0, I was told to try using Splunk 3.4.1 on FreeBSD 7.0 via FreeBSD's compat6x libraries. I did the following:freebsd70:/usr/local/src# pkg_add -v splunk-3.4.1-45588-freebsd-6.1-intel.tgzRequested space: 106458852 bytes, free space: 1565927424 bytes in /var/tmp/instmp.HhNhQkRunning pre-install for splunk-3.4.1-45588-freebsd-6.1-intel..extract: Package name is splunk-3.4.1-45588-freebsd-6.1-intelextract:...

Read More

Defining the Win

In March I posted Ten Themes From Recent Conferences, which included the following:Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learned now that all enterprises remain "dirty" to some degree, unless massive and cost-prohibitive resources...

Read More

Live Incident Map

I think this is fascinating: a map depicting naval piracy.One of the most interesting aspects of this map is that it concerns commercial entities (i.e. ships carrying cargo) and anyone can quickly learn the fate of each vessel. It's a giant incident map for 2008. Previous years (2007, 2006) are also available. The closest equivalent for digital security is probably the narrative of the Breach Blog and similar sites.Only when we can openly talk...

Read More

Digital Asset Scorecards

Last month I reviewed Marty Raffy's great book Applied Security Visualization. Recently I've been considering ways to describe systems in my environment using visual means instead of text. I decided to try sharing the following visualization, which I call a Digital Asset Scorecard. I've created a zipped .ppt explaining this idea, but I'll share it here as well.The Digital Asset Scorecard for a single system is shown below. As you will see shortly,...

Read More

Reading on Justifying Security Operations

My post Managing Security in Economic Downturns mentioned wrapping everything in metrics to justify your security operation. I decided to peruse the past proceedings of the Workshop on the Economics of Information Security for ideas. I was mostly interested in works explaining how to show value derived from security operations. (Remember value is mainly or exclusively cost avoidance.) I am really interested in knowing how much it costs to maintain...

Read More

NASA v China

Yesterday Businessweek posted a fascinating and lengthy report titled Network Security Breaches Plague NASA. This part will sound familiar to many readers.By early 1999 the volume of intrusions had grown so worrisome that Thomas J. Talleur, the most senior investigator specializing in cyber-security in the Inspector General's office at NASA, wrote a detailed "network intrusion threat advisory..." Talleur, now 59, retired in December 1999, frustrated...

Read More

Don't Fight the Future

Digital security practitioners should fight today's battles while preparing for the future. I don't know what that future looks like, and neither does anyone else. However, I'd like to capture a few thoughts here. This is a mix of what I think will happen, plus what I would like to see happen. If I'm lucky (or good) the future will reflect these factors, for which I am planning. A few caveats: I don't have an absolute time factor for these,...

Read More

Managing Security in Economic Downturns

You don't need to read this blog for news on the global economic depression. However, several people have asked me what it means for security teams, especially when Schneier Agrees: Security ROI is "Mostly Bunk". No one can generate cash by running a security team; the best we can do is save money. If your security team generates cash, you're either a MSSP, a collection agency of some sort (these do exist, believe it or not!), in need of being...

Read More

Tips for PSIRTs

If your company sells software, you probably need to have a Product Security Incident Response Team (PSIRT). The PSIRT should act as the single point of contact for any user of your product to report and coordinate security problems with your software product. Examples of PSIRTs include:Cisco Product Security Incident Response TeamMicrosoft Security Response CenterIntel Product Security CenterI think you can tell how serious a company takes security...

Read More

Snort Report 21 Posted

My 21st Snort Report titled Understanding Snort's Unified2 output has been posted. From the article:Welcome to the 21st edition of the Snort Report! In July 2007 I described Snort's Unified output, first released in July 2001 with Snort 1.8.0. Unified output allows Snort to write sets of data to a sensor's hard drive. Writing to the hard drive, instead of performing database inserts, allows Snort to operate faster and minimize packet loss.Unified2...

Read More

Intellectual Property: Develop or Steal

I found the article Internet thieves make big money stealing corporate info in USA Today to be very interesting. In the past year, cybercriminals have begun to infiltrate corporate tech systems as never before. Knowing that some governments and companies will pay handsomely for industrial secrets, data thieves are harvesting as much corporate data as they can, in anticipation of rising demand...Elite cybergangs can no longer make great money stealing...

Read More

Laid-off Sys Admin Story Makes My Point

I read this great story by Sharon Gaudin titled Laid-off sysadmin arrested for threatening company's servers:A systems administrator was arrested in New Jersey today for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off...Viktor Savtyrev, of Old Bridge, N.J., was arrested at his home Monday morning. He faces two charges under the federal cyberextortion statute...Late...

Read More

Marcus Ranum on Network Security

I liked this interview with Marcus Ranum titled Marcus Ranum on Network Security:Q: In your opinion, what is the current weakest link in the network security chain that will need to be dealt with next year and beyond?MJR: There are two huge problems: Software development and network awareness. The software development aspect is pretty straightforward. Very few people know how to write good code and even fewer know how to write secure code. Network...

Read More

BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central

Last month I posted BGPMon.net Watches BGP Announcements for Free. I said:I created an account at BGPMon.net and decided to watch for route advertisements for Autonomous System (AS) 80, which corresponds to the 3.0.0.0/8 network my company operates. The idea is that if anyone decides to advertise more specific routes for portions of that net block, and the data provided to BGPMon.net by the Réseaux IP Européens (RIPE) Routing Information Service...

Read More

Bejtlich Teaching at Black Hat Europe 2009

Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat Europe 2009 Training on 14-15 April 2009 at the Mövenpick City Centre in Amsterdam, Netherlands. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. This is my only scheduled class outside the United States in 2009.The short description says:This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation,...

Read More

Bejtlich Teaching at Black Hat DC 2009 Training

Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat DC 2009 Training on 16-17 February 2009 at the Hyatt Regency Crystal City in Arlington, VA. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. This is my only scheduled class on the east coast of the United States in 2009.The short description says:This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation,...

Read More

Securix-NSM 1.0 Released

Yesterday I read A successor is born... Securix-NSM 1.0. Securix-NSM is a Debian-based live CD that is the fastest way I've ever seen for a new user to try Sguil. All you have to do is download the 280 MB .iso, boot it, and follow the quick start documentation. Those steps are basically:Open a terminal.Execute 'sudo nsm start'.Double-click on the Sguil client icon.Log into Sguil.To test Sguil, I executed 'apt-get install lynx' then visited www.testmyids.com....

Read More

2nd Issue of BSD Magazine

I recently received a copy of the 2nd issue of BSD Magazine. This edition has a heavy OpenBSD focus, which is nice considering OpenBSD 4.4 was released last week. I have it on good authority that the next issue of the magazine will focus on NetBSD and be available in December. When I can say more I will post details on my bl...

Read More

Fast Money's Transparency and Digital Security

This evening I was very happy to attend a live taping of CNBC's Fast Money program in Washington, DC. Several years ago my wife and I saw a live taping of CNN's old Crossfire program, but this event took place in a huge hall with over 2,000 audience members.Before the broadcast Fast Money host Dylan Ratigan addressed us and shared his thoughts on current economic conditions. He said that a lack of transparency was a fundamental problem on Wall...

Read More

Current and Future White House v China

To continue my "v China" series of blog posts, I note the following:Chinese hack into White House network:Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer...

Read More

Defining Security Event Correlation

This my final post discussing security event correlation (SEC) for now. (When I say SAC I do not mean the Simple Event Correlator [SEC] tool.) Previously I looked at some history regarding SEC, showing that the ways people thought about SEC really lacked rigor. Before describing my definition of SEC, I'd like to state what I think SEC is not. So, in my opinion -- you may disagree -- SEC is not:Collection (of data sources): Simply putting all of...

Read More

Response to Marcus Ranum HITB Cyberwar Talk

Many readers have been asking me to comment on Marcus Ranum's keynote titled Cyberwar is Bullshit at Hack In The Box Security Conference 2008 - Malaysia. (What a great conference; I think we are seeing the Asia-Pacific area really grow its digital security community. You can access the conference materials here. I'd like to point out my friend CS Lee spoke about NSM at the event.) The article Don’t waste funds preparing for cyberwars summarized...

Read More

Response to "Air Force Aims to 'Rewrite Laws of Cyberspace'"

Given my recent posts like Whither Air Force Cyber? I felt the need to comment on Noah Shachtman's story Air Force Aims to 'Rewrite Laws of Cyberspace':The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the "laws...

Read More

The Best Cyber-Defense...

I've previously posted Taking the Fight to the Enemy and Taking the Fight to the Enemy, Revisited. I agreed with sentiments like the following, quoted in my posts:The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee.“History teaches us that a...

Read More

Snort Report 20 Posted

My 20th Snort Report titled Using Snort 2.8.3 to inspect HTTP traffic has been posted. From the article:Solution provider takeaway: Solution providers will learn new features in Snort 2.8.3 to improve the granularity of inspecting HTTP traffic.Welcome to the 20th edition of the Snort Report! In July, we described new features in Snort 2.8.2 and how to identify them when compared to Snort 2.8.0 and intervening releases. Since then, Snort 2.8.2.1,...

Read More