Network Security

This might become my new email signature

Beau Monday — Sat, 24 May 2008 00:32:00 GMT

Mike Rothman, of Pragmatic CSO fame, laid down one of the best one-liners of all time in a recent blog post:

It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind.

OK, technically, that's a five-liner, but you get the point.

I can't tell you how many companies I've seen spend a million dollars a year on auditors, yet spend 1/10^th of that on actual security improvements.

That's bass ackwards. If you have your ducks in a row, security-wise (it *is* a key imperative of your business), the auditors should be in and out.

Even a broken clock is right twice a day

Beau Monday — Sat, 24 May 2008 00:01:00 GMT

I'm a rather pragmatic security practitioner. If I think something is dumb, even if it's on someone's “Best Practices“ list, I'm not above calling it out.

Some examples: I think, in the majority of cases, antivirus on a server is dumb. I think renaming your Administrator account is dumb (almost all tools that attack Admin now do so using the SID). I think account lockouts are dumb (they are a crutch for weak passwords). I think writing down a strong, complex password is better than using a weak password if that's all you can reliably remember (no, don't then stick it to your monitor, that *is* dumb).

I also think Disaster Recovery is not a security function.

Yeah, I said it. Out loud. I've been saying it for years actually.

“But Beau,” I hear you saying, probably in an exasperated voice, “*availability* is one of the Holy CIA Trinity (Confidentiality, Integrity, Availability)!”

Yeah, and? Step carefully or I'll punt those other 2 legs out of Security too.

I've long held the belief that the Operations side of the house has far more responsibility when it comes to Availability than Security does. Hell, most IT operations teams are measured by their availability, and not a lot else.

If a disaster strikes, who is going to be putting the pieces back together? Security? Nope. Operations, and maybe some Network guys if the recovery site is raw. Security will be *involved*, of course, but only peripherally.

Security's role is making sure disaster planning is getting done by the appropriate people, and implementing supporting policies and controls.

Actually, that describes Security's role in the other 2 domains too. The people in the trenches on Confidentiality is the Privacy team (read: the lawyers). The auditors are the leads on Integrity.

Now is usually the time most security people get all woozy and I have to start passing out smelling salts.

So, imagine my surprise when one of the most respected security guys I know, Richard Bejtlich (he's the TaoSecurity link at the bottom of my BlogRoll to the right), posted pretty much my standing belief in this regard. From his post on Wednesday, entitled “Security: Whose Responsibility?”:

I assume readers of this blog are familiar with the "CIA" triad of information security: confidentiality, integrity, and availability. Having spent time with many companies in consulting and corporate roles, it occurred to me recently that two or even all three of these functions are no longer, or may never have been, the responsibility of the "security" team.

He demonstrates his vision using this graphic, which I have not previously seen:

He goes on to define what he feels Security's role is:

I believe this state of affairs leaves the Security team as the one group that has the proper mindset, subject matter expertise, and ability to implement defensive operations to preserve CIA. This mission is not one the Security team accomplishes by itself, if that ever were possible. Rather, Security will (if not already) need to pair itself with IT, Audit, and Privacy in order to be effective. One could say the same for and Compliance groups, Governance officers, and/or Physical Security teams, although I'm less worried about those ties right now.

It should be clear at this point that it doesn't make sense for the Security team to work for IT, given the role it must play. A Security team working for IT is likely to be stuck supporting the Availability aspect of "security" at the expense of the other CIA elements. Furthermore, it could be difficult for Security to build the necessary bonds with Audit and Privacy if those groups see the Security team as "just part of IT," or "technologists."

This second part is very interesting, because building those bonds with the CIA-supporting organizations is precisely what Gene Kim's new book, Visible Ops Security addresses. And it surely is a gap today, which is why I'm glad someone's making efforts to highlight it.

OK, give me back my smelling salts now. I'm going to go freak out some lawyers.

Identifying Stale Machine Accounts

Beau Monday — Fri, 09 May 2008 14:51:00 GMT

I'm sick of googling for this the few times per year I need it, so putting it here for future reference:

To identify stale computer account in your Active Directory, you can look at the last time they changed their passwords. Windows 2000 and later machines will change their computer accounts every 30 days by default. Machine accounts that have gone more than 30 days without changing their account passwords are probably no longer in use (or they have a problem preventing them from communicating with the domain controller(s)).

The easiest way to enumerate machine account password age is a free tool called NetPWAge by the folks over at SystemTools.com. Once downloaded, the syntax is simple:

NetPWAge /machines /domain:YOURDOMAINHERE /tabs > MachineAccts.txt

You can paste or import the results into Excel and do some fancy sorting to find out which machines need to get the boot.

Edited to add: I should mention that domain controllers themselves do not follow the 30-day rule, so don't go deleting them based on this scan. You know not to go deleting your domain controllers though, right?

Scars of 9/11

Beau Monday — Tue, 15 Apr 2008 23:28:00 GMT

I've never told this story, not even to my family.

9/11 is why I'm in the security business. Corny as it sounds, when 9/11 happened, I decided that the way I could contribute to making the world a better place was to apply my IT knowledge to securing the world's Windows networks. I had flown out of Logan airport in Boston the day prior to the attacks. I was galvanized. I quit my job, put myself through a number of SANS courses, and focused my 15+ year old IT career towards security.

I even traded my BMW in for a Jeep, in a semi-rediculous gesture of patriotism (Jeep was subsequently acquired by Germany's Daimler Corporation, ironically).

To say that 9/11 was a defining moment for me would be an understatement.

Now the weird part:

Since 9/11, I've had a little “twitch”. A day rarely goes by when I don't look at a clock when it hits 9:11. Either in the morning or at night, my subconcious rarely misses the opportunity to note the passing of 9:11 by drawing my attention to a nearby clock at that hour. It's fucking creepy.

So tonight, as I fed “I Am Legend” into the DVD player, I glanced down at the clock and was surprised to see it read 9:12. Holy Christ, I made it through an entire day without marking 9:11. A rare thing.

A couple hours later, I logged into a computer in Seattle to service some waiting firewall tickets. Look down at the clock on the computer in Seattle, and guess what it reads.

Nine fucking eleven.

Sigh.

Never forget.

Now if you'll excuse me, I've got some firewall changes to make.

RSA Connections

Beau Monday — Fri, 11 Apr 2008 21:31:00 GMT

RSA is 50% learning and 50% networking. At roughly 17,000 attendees, it is far and away the largest gathering of information security practitioners and vendors. You make professional connections here that you cannot otherwise make.

The Peer-to-Peer sessions are networking gold. You have 20 people all struggling with some particular aspect of the business, and you generally leave with the personal contact information from at least half of them. The world's information gets more secure as a result of these short sessions, and the relationships we build after the event is over. Unfortunately, due to the small number of people permitted into them, they fill up quickly.

The Virtualization Security peer-to-peer session is a great example. I talked to one guy who told me about a network problem causing all his VM hosts to shut themselves down. I chuckled and said “Yeah, we made that mistake too.” I then told him about another hitch we had implementing VMotion that caused a similar problem, and by the fact that his eyes went wide when I described it to him, I'm guessing he's probably vulnerable to that too. Those are the little things that don't get discussed in the technical sessions.

Another great contact I made during the show was Gene Kim, author of one of my favorite books of all time, The Visible Ops Handbook. I saw him sitting at the book store, doing signings, purely by chance. I introduced myself, and told him we'd bought 30 copies of his book for our staff, and that I had won a corporate award for implementing a change management program based on his work, and he just gushed and said I made his entire week. He shouted over to one of his partners “Hey they gave this guy an award due to Visible Ops!“ I bought copy #31 from him on the spot so he could sign it (he wrote that my kung fu was awesome), along with his latest release Visible Ops Security, which I have not yet read. Gene's nervous about his new book, since he's not a security practitioner and is anxious about how the community will react. So he asked me to give him an honest review of it after I've had time to read it. Then he gave me his card, and wrote his cell phone number on it. Dude, I have Gene Kim's CELL PHONE NUMBER. How cool is that. Where the hell else would that have happened, but at RSA?

RSA Random Links

Beau Monday — Fri, 11 Apr 2008 20:57:00 GMT

Here are some interesting links that I noted during RSA. These are mostly for my own benefit, but I won't tell anyone if you click on them. I'm not the boss of you.

Symantec Threat Report - 2nd Half of 2007: Executive Summary, Full Report
US Government's Trusted Internet Connection Initiative
Oracle's call for better secure coding education at the university level
Federal Desktop Core Configuration, which is the secure configuration that the goverment uses by default, and has recently mandated that any off-the-shelf software product must operate properly with before being considered for purchase. Site includes MS Virtual Server images of the FDCC configuration for testing purposes. Good stuff.
Google search for Idaho National Lab's research into vulnerabilities in the SCADA systems that control much of the nation's power grids and other critical infrastructures.
Days of Risk discussion on CSO Online
Mark Cox's recent report on Red Hat EL4's risk profile for the 3 years it has been shipping
Mark Cox's Blog
Scott Lowe's blog (virtualization security)
Chris Hoff's blog (virtualization security)
Google Search for Neil MacDonald, one of the few Gartner analysts saying some smart things
CNet's RSA coverage

RSA Random Stats

Beau Monday — Fri, 11 Apr 2008 20:06:00 GMT

Going through my notes from the week, and just wanted to throw out some interesting things I learned during the course of the week, in addition to the items in my previous posts:

It is currently estimated that 40% of computers attached to the Internet are members of one or more botnets
The US government recently reduced its time-to-patch from 57 days to 72 hours, and is striving for 24 hours
Oracle is asking US universities to mandate secure coding courses in the curriculum of computer science majors
Despite some of the high visibility projects at the federal level, information security spending is at an all-time low federally. The main culprit is last year's expiration of the Cybersecurity R&D Act.
In the month of January, 88% of Barack Obama's campaign donations came from online sources. Security of candidate web sites, and the potential for spoofing them, is not getting enough attention.
There were 23 critical vulnerabilities patched by Red Hat in 2007, versus 17 on Windows Vista.
2 out of every 3 hackers exploiting virtualized environments are explicitly targeting the command and control infrastructure, not the VM hosts themselves.

RSA Recap

Beau Monday — Fri, 11 Apr 2008 19:55:00 GMT

Show's over. Algore just left the stage after preaching to the crowd about global warming, and how “you IT people” can use his Intarwebs to help the fight. He was heckled a number of times during the course of his speech, but security people pounced on the hecklers fairly quickly and hustled them out of the forum. I don't remember Colin Powell getting heckled last year, but I might be repressing it.

The irony of Algore coming to a security conference and spreading his apocalyptic FUD was not lost on many of us. Hey, spreading fear uncertainty and doubt is our shtick, pal, and we've been doing it for DECADES.

OK, enough of that. I can feel my blood pressure rising, and I've recently noticed a direct correlation with my blood pressure and the number of times I use the f-bomb in my blog posts, and I'm trying to keep this one PG-rated, for christ's sake. OK, NC-17.

I gave up fairly quickly on the daily posts. There were only 15-20 minutes between sessions, which generally left you just enough time to walk from one session to the other. As luck would have it, I managed to plan things out just right so I had to walk from one end of Moscone to the other between each session. I don't know how that happened.

The small breaks that I did have were consumed by my actual day job, which I did not have the luxury of abandoning completely for the week. Thankfully the RSA folks provided a really nice room for people to do work in between sessions, and it had about 80 powered and wired workspaces where we could sit and jack in our laptops and get some work done. They were also piping in video of current sessions, or ones recorded earlier in the day. Really thoughtful.

Day 1, while a real slog with keynotes starting at 8am and sessions going as late as 6:30pm, was probably the most informative. I attended a few duds, but there were a couple gems too

Here's a few notes from the week:

Threats to 2008 Presidential Elections - I was disappointed in this one. The presenter covered some work he had done with typo domains with respect to presidential candidates. While there is some exposure here with regards to people errantly giving money to the wrong candidates, I don't think that's an effective election subversion technique.
How to Win the Botnet Battle - Probably my favorite session of the entire show, mostly due to Ira Winkler calling his fellow panelists morons repeatedly throughout. I agree with Ira in many aspects of his opinions about how we're conducting the War on Botnets, but I have some fundamental disagreements with him as well. I'll be blogging about this one in the future.
National Cyber Security Readiness - This was a pretty interesting discussion about the state of cyber security at the federal level. On the panel was Rhode Island's own James Langevin, who is truly doing God's work at the legislative level to get cybercrime bills introduced. Rhode Island owes this guy a statue or something. We gave him a Public Policy award for his efforts on the hill. For those who aren't aware, the federal government is undergoing a massive effort to reduce the number and types of connections it has to/from the Internet. Currently numbering in the thousands, the goal is 50 or less. They are also recruiting security people like mad, trying to enable an infosecurity capability into each agency within the federal government.
Michael Chertoff spoke on Tuesday as well, and if you followed the news you saw that he announced a new initiative at the federal level to feed attack intelligence to the private sector, since the federal networks tend to see attacks before anyone else does. We'll see how that pans out, I wish him well. His recent pick for Cybersecurity Czar is making a lot more sense now.
Security Information Visualization - Oy, was I pissed that I dragged myself out of bed early to catch this 8am dud. Highly technical content, first thing in the morning, 90% of attendees nursing head-cracking hangovers from the first night of vendor afterparties. These guys were dead on arrival in conditions such as those, but I admire their moxy. The session was more about visualizing how data is protected using various encryption or DRM mechanisms. I was expecting a talk about metrics.
Linux vs Windows Security - This was a fairly lively debate between a guy at MS and a researcher from a Florida university. They had done some studies revolving around vulnerability severity and numbers. The MS guy made a pretty compelling case, demonstrating that by criticality, time of exposure, and time to patch, Microsoft had a very good year last year compared to Red Hat, the Linux of choice for the debate. However, they ultimately called it a draw due to the ambiguity of the current vulnerability rating systems.
Securing Virtualization peer-to-peer session - Great session, too short by half. Peer to peer sessions are limited in size (20-ish people), and everyone sits in a circle singing kumbayah. Or something. No, the singing came after, now I remember. Seriously though, there was a circle of attendees, and we had a very frank and open discussion about the challenges we're all facing with virtualization in our datacenters. Reps from VM and Citrix were both in attendance, as well as a couple researchers, but the rest of the table was filled with practitioners like myself, struggling with the new security paradigm that comes with virtualization. What I learned: My company is farther along than most, everyone is facing the same set of issues, and there is not much of a consensus about how to handle security in this new environment.
Virtualization and Security - A Technical Forecast - Dud. Basically this was 2 guys, one from VMWare and one from Citrix, expousing what they are doing to secure their respective virtualization products, and that we shouldn't worry about all the fud being put out by researchers right now. The Citrix guy actually came out and said it was impossible for data to leak from one VM image to another, which reminded me or Oracle's “Unbreakable“ gaffe from years past. They also didn't get some of the questions, like when one attendee commented on the fact that hackers are using VMs to cover their tracks and subvert forensic investigations on their attack platforms, and the panelists went on to talk about how you can snapshot images as frequently as 30 times per second if you needed to. Why would an attacker snapshot his own VM image, if the entire point is to dump the evidence by reverting the image, or simply throwing it out, after the deed is done? There was also very little in the way of forward-looking information.

You will note that my session selection tended towards security issues surrounding virtualization. There is great work being done in that space (finally), and there were no fewer than a dozen sessions devoted to virtualization issues. The increased pressure to reduce power and cooling consumption in datacenters is driving adoption of virtualization technologies, at a rate that most people are not yet ready for. This is one area where the security community is behind the curve in a big way.

More later.

RSA 2008 - Day 1 Morning

Beau Monday — Tue, 08 Apr 2008 12:27:00 GMT

I'm at RSA all week, and I figured I best blog about it, seeing as how I maneuvered my way into the Security Blogger Meetup tomorrow night based on the premise that I do, at least occasionally, blog about information security issues.

I'm taking a break from the morning keynotes, choosing to observe the Microsoft keynote from afar, via closed circuit TV, while I get some thoughts down on virtual paper.

The first 2 talks were by EMC (parent company of RSA), and then Symantec.

The show opened with the obligatory cheesy dance number, which this year was a bastardized version of the song “Brick House”, with an information security slant to the lyrics.

After that nonsense was over, EMC's CEO came onstage (no, he wasn't one of the dancers) and talked about the transition security practitioners need to make to go from villain to hero within their respective organizations. To go from the people that say No all the time, to being a business enabler. It was an interesting talk, but we've been talking about that for years, and haven't figured out how to achieve that goal.

Next up were a couple folks from Symantec, who talked a bit about this morning's release of the 13th installment of their Internet Security Threat Report.

Things learned during this morning's sessions:

80% of the companies surveyed during a recent EMC/RSA study admitted that they had shied away from potential business innovations or strategic acquisitions due to concerns over information security.
65% of new software delivered to the average consumer is malicious. For the first time, 2007 saw development of malicious software outpace normal consumer software.
50 million IDs were exposed in 2007 due to various breaches, which is 3 per second, and a 300% increase over 2006
Stolen identities are the 3rd most common item being advertised on the information black market (yes, there's an “information“ black market)
Stolen credit card numbers sell for an average of 40 cents on the black market
Stolen World of Warcraft accounts sell for 100 times more than stolen credit cards

I've only just downloaded Symantec's report, and will post later about that once I've had a chance to review the report in it's full 105-page glory.

Homeland Security's Michael Chertoff, who blew us off last year to testify in front of Congress, was a last-minute addition to today's keynote schedule. He speaks at 11:30, and I'll post again after I have had a chance to hear what he has to say.

And now for something completely different

Beau Monday — Sun, 23 Mar 2008 01:57:00 GMT

I have updated the Conferences list on the right-hand nav frame to just list the 2 conferences on my schedule for this year, both happening in April, as luck would have it.

Speaking of RSA:

I've received an invitation to attend the 2nd annual Security Bloggers Meetup during the RSA show. There may have been a little whining on my part immediately preceding the invite, I can't be responsible for remembering the exact sequence of events. The important thing, I think you'll all agree, is that I'll be there.