Twas the night before Christmas

An ode to all two infosec people who are keeping the home fires burning over the holidays. May your pager never beep on this specialy day!

Apologies to Clement Clarke Moor - Twas the night before Xmas

Twas the night before Christmas, when all through the office
Not a creature was stirring, not even an optical mouse.
The security budget request was hung by the chimney with care,
In hopes that St Nicholas soon would be there.

The admins were nestled all snug in their beds,
While visions of playstations danced in their heads.
And mamma in her ‘kerchief, and I in my cap,
Had just settled our brains for a long winter’s nap.

When out on the IDS there arose such a clatter,
I sprang from the bed to see what was the matter.
Away to the pager I flew like a flash,
booted and VPN'd in like a dash.

A botnet was built from whoa to go,
through the monitored web proxy its C&C did flow.
When, what to my wondering eyes should appear,
But a CSIRT, incorporating many security engineers.

With a little security leader, so wizened and old,
I knew in a moment it must be the CISO.
More rapid than eagles his direct reports they came,
And he whistled, and shouted, and called them by name!

"Now Analyst! now, Crypto Guy! now, Compliance and Tester!
On, Consultant! On, Communications! on, on IDS dude and Forensics!
To the SEIM solution! to the firewall!
Now dash away! Dash away! Dash away all!"

And then, in a twinkling, I heard on the keyboards
The tappering and twittering of each little hoof.
As I drew in my head, and was turning around,
Into the incident room came the CISO with a bound.

He was dressed all in casuals, from his head to his foot,
a surprise as his team had never seen him without his suit.
A bundle of caffeinated drinks he had flung on his back,
And he looked like a peddler, just opening his pack.

His eyes-how they twinkled! his dimples how merry!
His cheeks were like roses, his nose like a cherry!
His droll little mouth was drawn up like a bow,
And the beard of his chin was as white as the snow.

The stump of a pipe he held tight in his teeth,
And the smoke it encircled his head like a wreath.
He had a broad face and a little round belly,
That shook when he laughed, like a bowlful of jelly!

He was chubby and plump, a right jolly old elf,
And I laughed when I saw him, in spite of myself!
A wink of his eye and a twist of his head,
Soon gave me to know I had nothing to dread.

He spoke not a word, but went straight to his work,
And patched all the workstations, then turned with a jerk.
And laying his finger aside of his nose,
And giving a nod, the CIO he called!

He sprang to his car, to his CSIRT gave a whistle,
And away they all flew like the down of a thistle.
But I heard him exclaim, ‘ere he drove out of sight,

"Happy Christmas to all, and to all a good-night!"

2009 in review

Breaches

Gonzalez aka Soup Nazi caught and responsible for some of the largest breaches of credit card data over the last year or two.

RBS Worldpay - Criminals breach a payroll system that pays employees via debit cards. They jack the limits, burn the card data to new card blanks and then withdraw millions simultaneously at multiple locations around the world.

Technologies

Automated Source Code analysis software from Fortify, IBM and HP hit the big time helping secure web applications against the most common threat vector - SQL Injection or now SQLi for short :)

Data Leakage Prevention fizzled with many CISOs not really wanting to go a Career Limiting Move by highlighting to management how broken business processes are and how much personally identifiable and confidential data is stuck on insecure file shares and shuttling around in email attachments.

Legislation, Regulation and Compliance

We got some new laws to make ATM and credit card skimming illegal?

PCI-DSS continued on with an increase in compliance validation requirements for level 2 merchants thanks to MasterCard.

Customers beware - security "consultants" to avoid

Some tweets from @jack_mannino raised some strange feelings and thoughts that I wanted to express about some of the types of people that raise my ire in the security consulting industry:

Public enemy number one - the "nessus cut n paster"

Its all good to use nessus or OpenVAS as it helps shorten the process of grabbing banners with nmap and using google/secunia/mitre to find out publicly reported vulnerabilities about the network services in use (which we pretty much end up doing anyway!). We all use nessus as part of our suite of tools but you shouldn't just use nessus! And you definitely shouldn't just append the raw scan results as an appendix with a covering letter! Your client deserves you:

• confirm that the reported vulnerabilites actually provide a risk (i.e. are the vulnerable modules on that webserver actually in use or is this a false positive)
• provide some interpretation and an indication of how easy this vulnerability is to exploit based on your knowledge and experience (i.e. how likely is it that the client be attacked by an SSL MITM attack) and any compensating controls that are in place
• provide pragmatic recommendation on how to address the issue (i.e. a link to technet article etc.)

Oh its worth adding, running nessus does not test web applications! It may test the configuration of the web server software but not the susceptibility of a custom web application to SQLi etc!

The "nessus cut n paster" leaves you feeling conned and frustrated as you paid too much for an assessment you could have performed yourself. You have to investigate each of the issues to identify if you should bother fixing them and find out how to address them.

Public enemy number two - the "over caffeinated try hard hacker"

This guy is someone who has just read "Hacking Exposed" and instead of building himself some vmware virtual machines and trying out what he is learning on them, he wants to "play hacker" on your network. On an external network he will focus on "cool and neat" vulnerabilities and forget to report "boring" vulnerabilities (the ones you are likely to get pwned by). On an internal network instead of focusing on testing key controls that secure critical applications (e.g. database listener passwords) he will do crazy stuff like pwning workstations with metasploit and looking for pirated games/music/pron to take home.

The "over caffeinated try hard hacker" leaves you bemused wondering what the hell happened, rebooting boxes and apologising to executives whose email accounts have been ransacked.

Public enemy number three - the "talky talky consultant"

This Svengali like consultant mesmerises you with talk about risks, approaches, ISO standards and buzzwords however never gets down to the discussions you want to have like:

• what are my critical business processes and what applications, infrastructure and information assets are associated?
• what are my key controls?
• how do I test them and record the results and supporting evidence?
• what should be in my security plan to improve my key controls?
• how do I tweak my policy to address new risks?

The talky talky consultant often leaves you stuffed and slightly boozed after a long lunch wondering what value they actually added to your organisation and trying to find a deliverable to justify to your management why you engaged this clown in the first place.

Tips to Countering the fallout:

• Make sure your security consultant has scoped the required work well and documented the scope in a contract or engagement letter in enough detail. It should be clear that work outside the agreed scope is not to be undertaken without express permission (i.e. running exploits, scanning other systems apart from the defined target systems)
• Make sure if an assessment is being provided that the criteria for the assessment is detailed in the engagement letter and provided in the report
• The contract or engagement letter should also describe the required deliverables for each phase of work in detail and the requested structure and content of the report
• Ask for a sample report, mark it up and return it if it doesn't meet your needs.
• Ask for regular updates on activities and require that they be provided so you can keep tabs on what is going on.