Scalable Infrastructure vs Large Problems, or OpenDNS vs Conficker

After seeing Dan Kaminsky's talk at Black Hat DC last month, I blogged about the benefits of DNS' ability to scale to address big problems like asset management records. I've avoid talking about Conficker (except for yesterday) since it's all over the media. Why mention DNS and Conficker in the same post? All of the commotion about Conficker involves one variant's activation of a new domain generation algorithm on 1 April. Until today no one...

Read More

NSM vs The Cloud

A blog reader posted the following comment to my post Network Security Monitoring Lives:How do you use NSM to monitor the growing population of remote, intermittently connect mobile computing devices? What happens when those same computers access corporate resource hosted by a 3rd party such as corporate SaaS applications or storage in the cloud?This is a great question. The good news is we are already facing this problem today. The answer to...

Read More

Response to 60 Minutes Story "The Internet Is Infected"

I just watched the 60 Minutes story The Internet Is Infected. I have mixed feelings about this story, but I think you can still encourage others to watch and/or read it. Overall I think the effect will be positive, because it often takes a story from a major and fairly respected news source to grab the attention of those who do not operationally defend networks. I'd like to outline the negative and positive aspects of the story, in my humble point...

Read More

Network Security Monitoring Lives

Every once in a while I will post examples of why Network Security Monitoring works in a world where Webbed, Virtual, Fluffy Clouds abound and people who pay attention to network traffic are considered stupid network security geeks. One of the best posts I've seen on the worm-of-the-week, Conficker, is Risk, Group Think and the Conficker Worm by the Verizon Security Blog. The post says:With the exception of new customers who have engaged our Incident...

Read More

NSM on Cisco AXP?

Last year I wrote Run Apps on Cisco ISR Routers. That was two weeks after our April Fool's joke that the Sguil Project Was Acquired by Cisco. I am wondering if any TaoSecurity Blog readers are using Cisco AXP in production? Looking at the data sheet for the modules, they appear too underpowered for NSM applications, especially at the price point Cisco is advertising.Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online...

Read More

Association of Former Information Warriors

In response to my TaoSecurity Blog post titled Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?", I decided to create the Association of Former Information Warriors. I set up a LinkedIn Group with the following description:The Association of Former Information Warriors is a professional networking group for those who once served as military members in information operations (IO) or warfare (IW) units. The mission of the AOFIW...

Read More

More PowerPoint Woes

Last year I attended The Best Single Day Class Ever, taught by Prof. Tufte. He changed my outlook on PowerPoint for ever. Today in FCW magazine I found a pointer to 8 PowerPoint Train Wrecks, like the slide Bill Gates is presenting at left. While following some of the linked presentations, I came across this line from the shmula blog:While at Amazon, we were all told by Divine Fiat that ALL presentations — regardless of kind, cannot ever be on...

Read More

Thoughts on Latest Government Focus on Digital Security

Ties between the US government and digital security are all over the news right now. We have the Director of National Intelligence supporting greater NSA involvement in defending cyberspace, which prompts the (now former) Director of the National Cyber Security Center (NCSC) to resign in protest. We have the chief security officer of Oracle calling for a Monroe Doctrine for cyberspace while the former director of the National Cyber Security Division...

Read More

The Security World Is Not Just a Webbed, Virtual, Fluffy Cloud

If you've been watching the digital security scene for a while, you'll notice trends. Certain classes of attack rise and fall. Perceptions of risks from insiders vs outsiders change. I think it is important to realize, however, that globally, security vulnerabilities and exposures are persistent. By that I mean that if we forget or neglect problems from the past (or even present) and focus only the future, we will lost.For example, the three...

Read More

Building Security In Maturity Model Partly Applies to Detection and Response

Gary McGraw was kind enough to share a draft of his new Building Security In Maturity Model. I'm not a "software security" guy but I found that the Governance and Intelligence components of the Software Security Framework apply almost exactly to anyone trying to build a detection and response, or "security operations", center. Consider:GovernanceStrategy and MetricsCompliance and PolicyTrainingIntelligenceAttack ModelsSecurity Features and DesignStandards...

Read More

Thoughts on Technology Careers for the Next Generation

I think the next generation of IT and digital security professionals will find limited opportunities in the "traditional" non-IT/security companies of today. I wrote about this last year in Reactions to Latest Schneier Thoughts on Security Industry when I said this, specifically about the security field:What does this mean for security professionals? I think it means we will end up working for more service providers (like Bruce with Counterpane...

Read More

Requirements for Defensible Network Architecture: Monitored

Last year I posted Defensible Network Architecture 2.0, consisting of 8 (originally 7, plus 1 great idea from a comment) characteristics of an enterprise that give it the best chance to resist an intrusion.In this post I'd like to define some specifics for the first of the 8 characteristics: monitored. At some point in the future it would probably make sense to think of these characteristics in terms of a capability maturity model. Right now I'd...

Read More

Using Forensic Tools Offensively

This should not be a surprise to people who use forensic tools on a daily basis, but it is a good reminder. I just noticed two great posts, Dumping Memory to extract Password Hashes Part 1 and Dumping Memory to extract Password Hashes Part 2, on the Attack Research blog. They show how to exploit a system with Metasploit, upload the Meterpreter, upload Mantech's MDD memory dumper, dump memory, download it to an attacker's system, and then follow...

Read More

Recoverable Network Architecture

Last year I outlined my Defensible Network Architecture 2.0, consisting of 8 (originally 7, plus 1 great idea from a comment) characteristics of an enterprise that give it the best chance to resist an intrusion.I'd like to step into the post-intrusion phase to discuss Recoverable Network Architecture (RNA, goes well with DNA, right?), a set of characteristics for an enterprise that give it the best chance to recover from an intrusion. This list...

Read More

Steve Liesman on Inputs vs Outputs

I've been blogging recently on Inputs vs Outputs, or Why Controls Are Not Sufficient. I've also been writing about Wall Street for the past year and a half. What we are seeing in the business realm is one of the biggest incident response engagements the world has ever seen.This morning on CNBC's Squawk Box, reporter Steve Liesman summarized the market's reaction to the ongoing crisis. The latest jobs report had just been released, and panelists...

Read More

Cyber Stress Cases

Earlier this week I attended an IANS Mid-Atlantic Information Security Forum. During the conference Phil Gardner made a good point. He noted that the ongoing credit crisis has fundamentally altered the world's perception of business risk. He said the changes to financial operations are only the beginning. These changes will eventually sweep into information security as well.This reminded me of the world's reaction to 9/11. The day the attacks...

Read More

Bejtlich Teaching at Black Hat USA 2009

Black Hat was kind enough to invite me back to teach two sessions of my new 2-day course at Black Hat USA 2009 Training on 25-26 July and 27-28 July 2009 at Caesars Palace in Las Vegas, NV. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. These are my last scheduled classes in the United States in 2009.Registration is now open. Black Hat set five price points and deadlines for registration. Super Early ends 15 MarEarly...

Read More

Bro SSL Certificate Details

I was asked today about using Bro to record details of SSL certificates. I wanted to show an excerpt from one of my class labs as an example. In one of the labs I use Bro to generate logs for a network trace. The idea is that by looking at the server subject and server issuer fiels, you might identify odd activity.First I generate Bro logs.analyst@twsu804:~/case03$ /usr/local/bro/bin/bro -r/home/analyst/pcap/tws2_15casepcap/case03.pcap weird notice...

Read More