Friday, October 25, 2013

From Mr. Geer's infinite wisdom

I managed again to finish reading a Dan Geer speech without my brain exploding. This one is his "Trade-Offs in Cyber Security" one (9 October 13, UNCC). As usual incredibly well written and dense, very dense. There's a specific point I liked because of stuff I was planning to right about:

"But only rarely do we ask our Legislatures to make mitigation effective.  Instead, over and over again we ask our Legislatures to make failure impossible.  When you embark on making failure impossible, and that includes delivering on statements like "Never again," you are forced into cost-benefit analyses where at least one of the variables is infinite.  It is not heartless to say that if every human life is actually priceless, then it follows that there will never be enough money.  One is not anti-government to say that doing a good job at preventing terrorism is better than doing a perfect job."

That's how we usually react to breaches, while simultaneously preaching there's no 100% security or "zero risk". This just doesn't make sense. As we're always talking about lessons learned exercises after incidents, how frequently have you seen one of those cases end up with this conclusion: "breach aligned to previously assessed residual risk, no further actions required"?
If that's not happening we are either not assessing risk correctly or we haven't done the appropriate job to ensure risk acceptance is well understood by decision makers. We are turning "small risk accepted" situations into "never again". This is how we end up with scenarios like the derivatives crisis (I was about to say Black S***, but I want to ensure no kittens are harmed during thi post writing). There's a big difference between almost impossible and impossible, even if they initially look the same. As Dan Geer also said in this same speech, "Proving a negative requires omniscience". Do you know absolutely everything that goes on your network?

Monday, October 21, 2013

More defense, and real meat

There was an interesting blog post from Rich Mogull a few months ago about the security community not putting enough effort on defense related research as we normally see for offense. As he quite rightly points out, "breaking things is, in many ways, far less challenging than protecting them. I am sick and tired of seeing researchers and pen testers on various mailing lists brag about how easy it is to get into their clients’ systems. I suspect the ones who understand the complexity of defending complex environments with limited resources keep their mouths shut".
Not that there isn't any defense related content being presented out there; you'll see plenty of defense content in the major security conferences agendas, but for some reason it's still hard to find stuff that is immediately implementable. Think about it, how many times have you been able to come back from a security conference with stuff ready to be used by your organization? I understand that we need to adapt things to the specifics of each environment and there are a lot of nice ideas that although not immediately applicable will still drive change to practices and move things forward by affecting the way people think about problems and solutions. But we are missing real meat, things that could help security professionals to justify their presence in those events.
Most of those events include the offense side. Defcon, for example, has a huge focus on that and I don't think it would make sense to try to change that, it's part of that conference identity. But, even on cases like RSA, where there are lots (I would say the majority) of defense content, we are still missing the part related to implementable content. I;m not saying those discussion panels, threat evolution assessments are not useful, but they serve a different purpose, keeping the minds of the security community aware of the changes and evolution of our world. That's very important. Still, there's still a gap between that and the offense piece that needs to be filled.
There are some forums and events with that kind of content. SANS conferences are probably a notable case. The things I've seen being presented on the different b-sides events are also interstingly more aligned to implementable content. Vendor conferences are also good with that; one of the major challenges is present content useful for organizations and vendors can show things closer to the implementation level by leveraging their own tools and showing how to use their cool features. But still, it's a very limited audience and content framework (they won't show stuff that can't be done with their products :-)).  
There are some good examples of online forums and resources with actionable defense content. The IDS signature databases started a trend of blacklists and crowdsourced resources that made a lot of good stuff for defenders to use in their day to day, but there's still room between tht kind of content and the more inspirational stuff from talks and panels at RSA. There's still so much to share out there. Imagine if we could go to a conference where the content is mostly stuff we can immediately start using in our organizations and generating immediate value. I'm talking about a security conference where the criteria for accepting content would be:
  • D: Defense. This is the basic. The content should be related to defense techniques, not offense. If you want to break stuff go to Defcon and BlackHat.
  • A: Actionable. Stuff that you can go back home and start using. It doesn't necessarily mean technology, it can be a risk assessment method or a new way to write security policies. Interesting technology pieces would be new open source security tools, SIEM rules and new ways to integrate existing tools.
  • M: Measurable. And, by the way, how do we know if this stuff is actually working? This would force speakers to show how they concluded their stuff is worth trying. Have they found stuff that was previously unnoticed on their networks? Have they somehow managed to validate the magical numbers from their risk assessment?
I would call this new conference DAMSEC :-)
To better illustrate the idea, here are some talks from past conferences that would nicely fit into DAMSEC's track:
Defending Networks with Incomplete Information: A Machine Learning Approach - Alexandre Pinto - Black Hat 2013 - ML Techniques that can be used by SecOps groups
Hunting the Shadows: In Depth Analysis of Escalated APT Attacks - F. Yarochkin, PK Tsung, MCJ Chiu, MWB Wu - Black Hat 2013 - Open source tools and techniques to be used for advanced malware detection
So, is there anyone interested in putting together such event? :-)

Monday, October 7, 2013

This is not the Tomcat server you are looking for

It seems that VMWare has some hidden security magic power that we mere mortals are not aware of. Check this blurb from the ESXi documentation:
"The Tomcat Web service, used internally by ESXi to support access by Web clients, has been modified to run only those functions required for administration and monitoring by a Web client. As a result, ESXi is not vulnerable to the Tomcat security issues reported in broader use." 

Doesn't it sound like a "this is not the Tomcat you're looking for" Jedi trick? C'mon guys, good to know you're reducing the attack surface, but don't give false assurances to your clients. It's hard to convince the Ops guys to patching and other security hygiene, this stuff above will just make them resistant to patch (or even check/test) anything on their ESXi servers related to Tomcat. Not helpful at all.