Infamous Agenda

AISA Revolution!

2011-11-30T16:22:00.010+11:00

Well it's been a couple of weeks since the AISA annual conference in Sydney and I've just about caught up from the day off!

I just really wanted to post an account of the conference as it truly was a red letter day for the Australian Information Security Association.

I've been to a few annual seminar days held in Sydney usually hosted at one of the bank's and spoken at one in Melbourne (as one of my last duties as outgoing branch executive) and this was the best!

Let's just go through some key points why it was so awesome:

- Sydney conference center

- delegates from Melbourne, Sydney and Brisbane.

- 650 plus people registered (and it looked like they all turned up)

- 30 plus exhibitors

- two international speakers (Bruce Schneier and Marcus Ranum)

- CIO of one of the largest banks in Australia speaking

- CSO of Cisco speaking

- FREE yes FREE to AISA Members (membership is $55 per year)

I put a few faces to names at the coffee cart by suggesting a tweet up. I quickly realised how tall @caseyjohnellis is in real life and what a cool accent @VS_ has.

I ran into Marcus Ranum at the coffee cart line and Bruce Schneier on the floor. I have to admit to being a little star struck!

I really enjoyed the presentation from John N Stewart Cisco's CSO. I really thought it was a useful presentation with lessons learnt. I was really dreading this one as, I thought it would be very "producty" where it was actually the most pragmatic of the day!

Marcus Ranum's presentation went right off on a tangent! The less free thinking in the audience probably were all like "What is this guy on about? Is he trying to encourage us to start a revolution and commit criminal damage and computer crime?". I really took his presentation as a challenge to us security professionals to think like a "misguided hacktivist" and consider how our organisations could be "pranked" and subjected to "economic denial of service" by protestors motivated by an organisational policy they dis-agree with.

AISA really is kicking a few goals at the moment in my humble opinion some examples below:

-new website (finally)

-ongoing focus group meetings http://www.aisa.org.au/for-members/focus-groups/ so you can talk to other security professionals in your area of expertise

- 1600 members

- AISA is providing submissions to the Australian Government on their "Cyber Whitepaper" on behalf of Australian information security professionals

- AISA is policing members for non-compliance with the code of conduct.

It's been a while

2011-10-03T13:06:00.001+11:00

Well here's a little update from me:

- I have written a product review which was printed and a few online
articles for IDG's publication CSO magazine. I'm now a regular blogger
on that site too. Do I qualify for a press pass? Hmm all readers
please report in on events I can "cover" especially those with
delicious snacks :) CSO seems to be taking off, much more so than my
little venture http://www.ozsec.net.au

- I've been thinking a bit about creating an open source security
operations maturity framework project inspired by OWASP OPENSAMM
project. Just need to find an organisation to help me champion it.
Something like this would really help to illustrate where on the
security journey an organisation is and where they would like to go. I
have thought of ISC2, AISA and the ISF but maybe it is SANS?

- my little business is developing, I've delivered a few successful
engagements and now I even have a glossy brochure.

There's nothing new under the sun....some nostalgia from matt

2011-09-02T14:52:00.000+10:00

Back in the day my mother was a sysop of a CDC PLATO system...in 1973 it had all on old school green screen/orange plasma:

touch screen

instant messaging

chat room

screen sharing

bulletin board/news groups

flight simulator

3D multi-player games

and..... wait for it...

freecell

I used to dial up to it at the university on a 300baud modem and play games with uni students. They would make jokes that would go way over my head, I must have been like like eight years of age or so!

http://en.wikipedia.org/wiki/PLATO_system

Plasma display, circa 1964, by Donald Bitzer for PLATO IV
Touchscreen, circa 1964, by Donald Bitzer for PLATO IV
Answer Judging Machinery, ?date?, a set of about 25 commands in TUTOR that made it easy to test a student's understanding of a complex concept.
Show Display Mode, 1975, a graphics application generator for TUTOR software, precursor to Apple's QuickDraw picture language editor.
Charset Editor, an early precursor to MacPaint for drawing bitmapped pictures stored in downloadable fonts.
Monitor Mode on PLATO, 1974, used by instructors to help students, precursor of Timbuktu screen-sharing software.
Pad and a few months later, system-defined Notesfiles, 1973, the first general-purpose computer message board, and precursor to Unix Newsgroups, Digital DECnotes and Lotus Notes.
Talkomatic, 1974, a 6-person real-time chat room (text-based), precursor to Instant Messaging Conferences.
Term-Talk, 1973, precursor to instant messaging.
Gooch Synthetic Woodwind, circa 1972, A music device for the terminal, precursor to sound cards and MIDI.
Airfight, 1974, a 3-D flight simulator written for PLATO by Brand Fortner; this probably inspired UIUC student Bruce Artwick to start subLOGIC which was acquired and later became Microsoft Flight Simulator.
Empire, circa 1974, a 30 person multi-player inter-terminal 2-D real-time space simulation.
Spasim, circa 1974, a 32-player first-person 3D space battle game
Pedit5, circa 1974, likely the first graphical dungeon computer game.
dnd, 1974–1975, a dungeon crawl game that included the first video game boss.
Panther, circa 1975 by John Haefeli, a 3-D tank simulation and forerunner of Atari's Battlezone game.
Build-Up, 1975 by Bruce Wallace, based on a story by J. G. Ballard, the first PLATO 3-D walkthru maze game. The maze itself was also 3-D, having holes in the floor and ceiling.
Think15, circa 1977, 2-D outdoor wilderness quest simulation, like Trek with monsters, trees, treasures.
Avatar, circa 1978, a 2.5-D graphical Multi-User Dungeon (MUD), a precursor to EverQuest.
Freecell, 1979 by Paul Alfille, which probably spawned the Windows version.
Mahjong solitaire, 1981 by Brodie Lockard, popularised in 1986 by Activision as Shanghai.
Emoticons, by 1973

Privacy - if you're not paranoid you're not paying attention!

2011-08-10T12:52:00.004+10:00

Security & Privacy are two very separate almost opposing disciplines. Some of my colleagues are very privacy aware. I really haven't paid enough attention to privacy and am having a bit of an awakening at the moment and thinking more about it.

There are some major challenges with preserving privacy. If governments allow privacy for all, then criminals will have the ability to plan and commit crimes undetected by law enforcement. Does it all come down to judicial oversight?

I welcome your comments to enlighten me of significant incidents and issues that impact on an individuals right to privacy.

Some examples include:

Printer manufacturers embedding codes into printed materials - perhaps this was done to satisfy legislators worried about forgery of currency. A better solution is to prevent printers from copying currency by embedding a code into the currency

RFID chips in passports - These chips can be read at very long distances. Chris Paget illustrates
He got a read from 66m with easily accessible hardware.

Apple recording GPS location history in Iphone - so a large company is recording history of your GPS location by default on a fairly insecure platform that can easily be hacked.

Google recording location of Wireless Access Points, wireless clients via Street View Cars - At one stage Google could be queried for the MAC address of your mobile phone and if a street view car had picked it up its location could be identified (perhaps your home or work address).

If five years ago I would have warned of giant corporations and government tracking your location with hidden codes and chips in documents and wireless signals people would have called me a paranoid schizophrenic!

advice for young whipper snappers --get off my lawn!

2011-05-31T12:52:00.001+10:00

The recent news story (now recanted) about Microsoft hiring a 14yr old
kid after identifying him as cause of a security incident brought up a
few thoughts for me that I'd like to share:

Firstly media please refrain from calling alleged computer criminals
hackers. If you must call them crackers, thieves, fraudsters etc You
don't call white collar criminals bankers right?

Secondly kids - If you are interested in "hacking" or computer
security there are plenty of options open to you than committing a
crime. If you want to learn about breaking systems how about you just
run up a few instances of YOUR OWN on Amazon EC2 and start breaking
them. You will have cheap or even free access to the latest operating
systems, much better than what we see commonly used. Also no need for
hardware or pirating software and downloading it. If you are after
making a "name for yourself" why not look for some 0day
vulnerabilities in open source software and report them to the project
rather than giving yourself a problem with pre-employment screening in
the future?

Well it's been ages - time for an update from me

2011-03-12T17:42:00.002+11:00

It's been quite a while since I've posted on my blog. I've been doing some contracting and consulting, some policy development and some pen-testing directly under my Ronin Security banner and supporting other professional services firms under theirs. Also I have been working directly with Enex TestLab acting as their General Manager of their Security Testing Division in a business development and practice development capacity.

I'm also working a little on my two start-ups, when I get the chance :

OzSec - http://www.ozsec.net.au - I hope this can become a "yellow pages" to the information security industry in Australia.
Centre for Application Security - http://www.appsecratings.com - The very early stages of a certification scheme for rating application security for shrinkwrapped consumer software and cloud service providers.

Threat vectors

2010-11-15T14:39:00.012+11:00

I don't often post on technical topics due to NDAs preventing me discussing the really good stuff.

However I had a great conversation with the guys over at Securus Global the other day and they mentioned a threat vector I hadn't thought of, whilst discussing a PCI-DSS interpretation/good practice query.

Back in the day, when I started in infosec more than 10 years ago, threat modelling was almost a waste of time. It was all webserver compromise, pivot to own other boxes in the DMZ, compromise database listener, exfiltrate database etc. etc. Most websites were static HTML content and there was no dynamic content and opportunity for SQL injection etc. etc. and the easy way in was compromising the web server software. It was more valuable to spend your time scrambling to patch web server software, set database listener passwords, tweak firewall configurations and drop in an Intrusion Detection System.

Now with the focus on client side attacks and web 2.0 it may be worth your while dusting off your threat models and "attack trees" to make sure you have covered all of your bases. That way the bad guys won't be all en.wikipedia.org/wiki/All_your_base_are_belong_to_us

Here's some examples of threat vectors for a stock standard website performing a password protected transactions and storing some sensitive information. The ones in bold you may not have thought of:

Core web server software or web server software extension is compromised, a link to malware is hosted on your website or even worse you are used to host malware!
SQL injection attack is undertaken, extracting the contents of the database via responses from the web server, or the attack drops out to the operating system of the database server and uploads the whole database up to their server.
SQL injection or a persistent Cross Site Scripting attack is undertaken, linking your visitors to a site hosting malware, a web page looking like a windows screen lock screen to steal their password or simply stealing their session tokens
You have a flaw in the implementation of your session management mechanism or encryption of session tokens is not performed consistently allowing an attacker to hi-jack sessions (probably requiring some recon before hand using their or a stolen account).
You have an insecure direct object reference vulnerability allowing an attacker to cycle through information stored by users of the system
Your advertisement service provider is compromised, resulting in malware being advertised on your website
You don't have a split DNS set up and DNS poisoning redirects your intranet web page to a copy hosted externally (with some nasty malware hosted on it)
Your system administrator is emailed a PDF (of interest to them) containing custom malware that downloads and installs a remote access trojan enabling the attacker to capture administrative credentials which work on an internet accessible administration interface
Your system administrator is social engineered to visiting a website (hosting malware) by phone call, voicemail message, a letter or a flyer
Your system administrator is sent malware on a USB key vendor freebie in a package addressed to them with vendor sales collateral

Controls you may want to consider to combat the above include:

Security awareness training
Secure development standards
Automated Source Code Analysis by an application security professional
Testing your application security to criteria
Web and Email Content Management (maybe combined with PDF sanitisation if you are a high risk organisation)
Restricting outbound internet access only to proxy servers from workstations
Monitoring web proxy logs for unusual activity
Restricting server initiated outbound internet access to web servers, application servers and database servers (remember the proper use of stateful inspection firewalls)

Defining success

2010-10-16T23:24:00.001+11:00

What are the outcomes of a successful infosec program? A sarcastic tweet got me thinking, what would success look like if we ever did achieve it. Let's put our yellow hats on ( that's a de bono reference ) and come and dream a little dream with me.
- an understanding of the top ten infosec related risks in the organisation
- an infosec budget aligned with the risk appetite of management, with the whole C-Suite acutely aware and understanding of the risks they have accepted in order to set that budget.
- security projects directed at addressing multiple high risks in the risk register planned, funded, underway and making progress (with comprehensive product evaluation conducted before significant expenditures)
- a compliance and testing regimen in place focused on key controls in critical business processes, applications, platform and network that allows security operations to be optimised and evaluated against real world threats.
- ALL projects initially risk assessed and if high risk subject to a trust but verify approach of threat modelling, security requirements, source code analysis, test plans and test results.
- a happy and engaged security team with the skills to execute on their roles and security projects and professional development opportunities open to them
- a workforce aware of infosec issues relevant to their job role.
- organisational knowledge and agreed approaches enshrined in endorsed policy, standards and guidelines with repeatable key security processes documented in processes and procedures.

If you have any thoughts please feel free to share them with me below in the comments form.

Today Tonight Buzzword Bingo

2010-09-08T16:08:00.004+10:00

Today Tonight are doing a story about "hackers" tonight. It's time to play buzzword bingo!

URL to make your buzzword bingo card

http://lurkertech.com/buzzword-bingo/

Word List

WarDriving

Pixelated Face

Computer Screen in Dark Room

Darn Kids

Elderly at Risk

Linux

Matrix screensaver

Laptop in darkened car

Internet

Internet Banking

Hacker with sunglasses

Facebook

Typing Keyboard Noise

Ominous Music

Vulnerable

Financial Records

Hacker in Black T shirt

Hacker bumper sticker

Laptop with Hacker stickers

Netbook

Netstumbler in use

Kismet in use

Metasploit in use

My buzzword bingo card.

use hashtag #todaytonight on twitter

Avoiding Shelfware - ISMS implementation tips

2010-09-08T10:03:00.014+10:00

A common critique of Information Security Management Systems (ISMS) is that they often become "shelfware" only referred to when the auditors arrive or referred to when the security department wants to say no.

Here are some tips to help these documents become "living documents" referred to by staff in your organisation to guide their actions.

1. Get your standards endorsed. Producing an impact assessment that outlines the financial and operational impact of the standard in question may help you in the process of endorsement by management.

2. Have a feedback loop to improve the standards. Document an email address or a contact person for feedback on the standards. This may help you refine the standards to better meet needs

3. Insert "tips and hints" in standards on how to easily comply with the requirements in the standards. Where further guidance is required write processes, procedures or guidelines (e.g. asset handling). This guidance should be gathered from staff "in the field" and should capture organisational knowledge on security activities. This will encourage staff to refer to standards for ideas on how to do security related activities.

4. Put the standards on your intranet. Most content in security standards is not actually that sensitive. If there are processes which are sensitive just list their name on the intranet and refer the reader to someone they can ask about the process or standard.

5. Conduct security awareness activities related to issue or update of new standards and the issues that the updates are intended to address. Align them with key messages in your security awareness program. These messages can be deployed via a banner on the intranet home page, a screensaver, a message at logon or via a regular email bulletin or newsletter.

#ozsec - bringing the Australian Information Security Community together

2010-08-31T23:30:00.012+10:00

Hello blogosphere!

I have been trying to learn to use #hashtags in twitter to spread the Australian Information Security Association message. The #AISA hashtag seems to be used by others on twitter, maybe it means something in Hindi?

So I went and invented the #ozsec hashtag I hope this can be used by the community to communicate australian infosec events, associations, security research and the like.

In case you didn't know here's a few interesting Australian Information Security facts (please let me know if I have got any wrong):

- the 1st free open source port scanner was invented in Melbourne by Julian Assange of wikileaks fame

- there are over 1000 members of the Australian Information Security Association

- there are over 421 members of the AISA Linkedin Group,which I started too :)

- there are world class security researchers in Australia like Mark Dowd, renowned for securing the Google Chrome browser, the only browser to survive Pwn2Own 2010

- AusCERT has been running the premier australian security conference for seven years now and has been in operation for 17 years.

- At least one of CA technologies identity management products is developed in Australia

- One of Microsoft's three main malware research and response labs is located in Melbourne.

- A number of australian universities offer graduate certificates in information security management (RMIT, ECU etc)

- The Risky Business Podcast made in Australia often has true thought leaders in infosec on it. HD Moore comes to mind as well as FX and Barnaby Jack.

- Selinux in Debian and redhat was developed by an Australian in Australia

- Defence Signals Directorate runs a Cyber Security Operations Centre

How are architects, security architects and security testers meant to play together?

2010-08-27T11:12:00.008+10:00

Well here's my thoughts on how architects and security people responsible for security architecture should work together. Keen for feedback as always :). Note - I updated this post further to comments to highlight how security testing should work.

Application Owners - These are business people who own a business process and hence the business applications that support the business process.

Business Analysts - These are people who identify requirements from business stakeholders and ratify them with the Application Owner.

Solution Designers - These are the people who often write the use cases for the applications and have responsibility for the design of the applications.

Enterprise Architects - Along with producing the "enterprise architecture" these fellows liaise with the solution designers to determine requirements so that applications can be interconnected. For example network and middleware designs. Enterprise Architects produce solution blueprints for solution designers to follow for applications.

Enterprise Security Architect - Along with developing the "enterprise security architecture" which is a subset of the "enterprise architecture" and contains the "zone model" this person develops "security patterns" that can be overlaid over solution blueprints that provide standard sets of security controls. This person also is responsible for securing middleware and other shared infrastructure. It should be noted that the "security patterns" produced are vendor independent and are performance specification related. This enables the organisation to have a long term view of what they want and what direction they are heading in allowing them to drive vendors to deliver to meet their needs, rather than be driven by the offering of vendors.

Security Solution Designers - These people take the "solution design" from the solution designers and apply the "security patterns" from the enterprise security architect to develop the "high level design" for the solution. They also go to the next level of detail called the "security detailed designs". They select the vendors of the hardware and software to meet the requirements of the pattern and use their experience of "what works in the real world" to ensure that the planned application architecture and planned security architecture meshes together. Most importantly they perform the risk assessment, collate the requirements, select and document the security controls.

Security Engineers - These unsung heroes using their in depth training with the security products in use configure the security product hardware and software in accordance with the "security detailed designs".

Application Developers - These guys develop the application in line with the solution design and use cases written and updated by the business analysts. Hopefully they are well educated and policed so that they write secure code in line with the requirements in the "high level design" and "security detailed designs"

Functional Testers - These people test the application to make sure it meets the requirements in the "use cases" mostly put together by the Business Analysts and refined by the Solution Designers.

Non Functional Testers - these people test all the things that need to be tested that don't fit in a use case. For example conducting performance and volume testing, making sure high availability functions work as advertised by turning devices off etc.

Security Testers - These security people check that the security controls designed by the security solution designers and documented in the detailed design documents operate as intended. For example password strength is enforced, sessions are terminated when a logout function is activated etc. Its a good idea for these guys to also check that security requirements and security controls match up.

Penetration Testers - These wonderful people look for common application vulnerabilities, misconfiguration of operating systems, databases and application server software. Their job is to identify missing commonly expected security controls, see if they can bypass the existing security controls or find weaknesses in their implementation. It should be noted that the penetration testers job is not to perform the more rudimentary functional or non-functional testing of security controls but to be the "icing on the cake" to sanity check the design and put the security controls through their paces.

If you don't have these, well what's your problem?

2010-08-24T18:04:00.000+10:00

If you are in the security function of a medium sized organisation and you don't have the following under control..... well here's the list and a place to start if you don't:
- job descriptions for members of information security function
- list of business units and a key contact in each you know
- list of critical business processes and key applications for each business unit
- schedule for risk assessments of processes and applications
- some completed risk assessments (incorporating security policy compliance checks)
- security policy framework (aka ISMS)
- endorsed security policy
- some endorsed standards (esp. acceptable use, password, secure configuration )
- some processes
- some procedures (esp. Firewall mangement )
- matrix of security controls and results with forward schedule
- schedule for pen testing program for critical applications
- copies of business unit risk registers
- vulnerability management solution and some completed scans
- log management solution and plan for enabling logging on end devices and associated alerts
- security awareness material for induction training
- enterprise security strategy with list of treatments that security function are running with
- governance reports to stakeholders

What should your security team look like?

2010-08-20T11:06:00.005+10:00

When thinking about the structure of your central security function you should consider what best makes sense for your organisation and what functions should be allocated to full time employees, contractors and service providers.

There are roles that need to be held by full time employees as these roles need deep relationships with internal stakeholders and service providers for the security program to make progress.

Information Security Manager - a full time employee will be able to act in the best interests of the organisation and maintain the relationships with senior stakeholders that are necessary for securing funding and approval of security standards.
Information Security Governance Analyst - a full time employee will be able to build relationships with stakeholders in business units and gain an understanding of their business processes that is essential for co-ordinating risk assessments, security policy compliance checks and security control testing
Information Security Technical Analyst - a full time employee will be required to liaise with projects and business units for penetration testing. It would also make sense to use a full time employee to conduct vulnerability management activities like vulnerability assessment scanning and oversee security patch management.

There are roles that can be nicely performed by contractors:

Security architect - security architects are often required when an enterprise security architecture is being established or when there is a high volume of projects requiring guidance

There are functions that can be outsourced to service providers such as:

penetration testing - it makes sense to outsource this function as the resource requirements will vary dependent on projects in the pipeline
risk assessment and security policy compliance checks of projects and processes
security control testing
security operations - firewall management, IDS management etc.

Social Media Security

2010-06-08T13:39:00.000+10:00

I know of a few organisations who are wishing to leverage social media to connect with their customers. I'd advise that they do a solid business focused and technical focused risk assessment before doing so. There are some major benefits that can result, but one should consider the risks and prepare to respond.
Some of the things they should consider and develop policy, standards and contingency plans could include the following:
- what social Media sites and services will you use, and what will you share and accept back? Do you want to set up a youtube channel? will you accept people re-mixing your video posts, what is going too far, how will you respond? Do you want to set up a twitter account? How will you respond to "trolling" and mocking copycat accounts (see @BPGlobalPR for a case study). If you set up a facebook company profile or user group, what will you put on there? Will you allow/respond/remove advertisers/head hunters etc.

-consider if the social Media platform can leak information about your personnel or systems to an attacker. Consider if personnel should be individually identifiable? Could someone who is mentally disturbed trace a person from a corporate social media account to their personal one and retrieve information as to their location, appearance etc. that could lead to a physical security problem.

- Consider if the target demographic are vulnerable or targeted by another group. For example consider the case study of when internet miscreants raided an epileptic web forum and posted scripts and images intended to give viewers a seizure. Is your target audience elderly, a persecuted minority, subject to foreign or domestic government monitoring/intimidation etc.

Thoughts on the infosec industry

2010-06-01T21:07:00.001+10:00

Here's a few thoughts on the state of the security industry, please excuse the rampant use of automotive analogies as I'm blogging this from my garage :)

- Aftermarket products are sold to try and fix insecure operating systems and applications. They don't work all that well because the signature detection/prevention paradigm can be defeated by simple obfuscation or a custom developed exploit. It's sort of like trying to retrofit an airbag to a car with a button to press in case of an accident rather than designing a strong safety cell and crumple zones. If we were doing security well at the operating system, we wouldn't need firewall technology at all. If we did security well at the application level, no need for antivirus !

- we're not attracting the best and brightest to work securing organisations. The kids seem to want to learn to break rather than learn to build. Maybe we need "drag-strips" or hackerspaces for the fast and the furious who want to play.

- We're not so good about understanding and marketing to our target markets and putting together solutions that work. Why one ISO standard for everybody? Why not separate ISO standards aligned with the risk profiles of SOHO, SMEs, state government, banks, federal government and military

Best bang for buck security initiatives

2010-05-20T17:48:00.000+10:00

If you are a CISO or even a security analyst what are some of the best ways to make a visible impression and change the risk profile of your organisation ?

Well here are some suggestions:
- conduct security awareness training customised to business unit processes.
- identify your key business processes and systems by interviewing business unit leaders
- perform a risk assessment of the top ten riskiest business processes and top ten systems for each.
- pick a key system, vulnerability scan its infrastructure and present the results with proposed fixes.
-identify a list of projects underway and risk assess the top ten riskiest
-engage someone to identify and test your internet facing web applications
- talk your infrastructure people into doing an inventory of devices on the network
- monitor outbound web traffic for botnet command and control communications
- benchmark patch levels of 3rd party apps on top of desktop standard operating system SOEs

Well that's the end of my brain dump ! Hope it helped you out with some ideas!

What are the CISO's most useful instruments ?

2010-05-03T20:33:00.001+10:00

So you want to conduct a symphony of information security within your organisation? Well what are the instruments you will use in your orchestra? I suggest you might want to look for or plan the creation of the following:
- audit issue register (lead violin, sometimes a bit too screechy)
- enterprise risk register
- significant business unit risk registers
- compliance requirement register ( the timpani )
- mapping of compliance requirements to your Information Security Management System
- control testing Management reports and database
- management reporting template
- existing enterprise security plan and perhaps security plans of significant business units
- list of business units by criticality
- list of business processes by criticality within business units
- list of business applications by criticality with function descriptions
- current security budget
- business case template and submission procedures
- document map of ISMS with status of documents within it (approved, under review, drafted, not started)
- organisation chart
- list of security projects with budget and status
- list of business projects by criticality to business success
- enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
- data classification scheme

Enterprise Security Architecture

2010-04-30T08:51:00.001+10:00

So why do you need an Enterprise Security Architecture (ESA) ? Well every organisation should really have one, it will just be shorter and simpler for a small business than a large multinational enterprise.
What an ESA will provide is the following :
- a vision of how network segregation will be implemented in alignment with the enterprise architecture
- a guide to where new network devices and applications should be located in the actual network based on their function/risk/required connectivity
- a source of high level application security requirements for new application development projects
- a point of reference for security policy and standards for standards related to network security, access control, etc.

Ways in which you would use the ESA or concepts in it every day would include the following :
- analysing and reviewing firewall rule change requests (perhaps in conjunction with firewall management standard, process and procedure.)
- analysing requests for business partner connections and suggesting where they should be connected
- responding to security incidents by using it to provide simplified situation reports
- using it as a reference in post security incident analysis. (e.g. We had a problem because a lack of input validation in the web application as suggested in the ESA led to an SQL injection vulnerability that was exploited by automated malware)
- communicating security policy to employees (e.g. You can't run a webserver from here it needs to go there )
- determining placement of security infrastructure like IDS sensors, identity management servers etc.

An ESA that meets these objectives and provides this functionality is essential to efficient operation of many information security processes. So much so that I was driven to writing a template I'm calling SHIRO to help me in updating the ESAS that I need to work with in my engagements to provide the above functionality.

If you have any positive thoughts about ESA I'm always willing to hear them in the comments section below

So my company is launched - a bit of an update from me !

2010-04-21T14:43:00.001+10:00

This week is the first week of operations for Ronin Security Consulting Pty Ltd or RoninSec for short. You can check us out at http://www.roninsec.com
I left my previous job at a big 4 consultancy after 7 years as I saw opportunities for a better lifestyle outside of the firm for myself and my family.
Currently I am working two days a week assisting a colleague at a government agency who is acting as a CISO. I'm looking for another two days a week of work, preferably supporting infosec management although I can work with enterprise security architecture or perform infrastructure or
Web application penetration testing.

I'm really keen to work closely with CISOs and people who have held that position as I am interested in learning the fine arts of diplomacy, engagement and the martial discipline of corporate survival. One day I would like to act as a true CSO leveraging my experience in physical, electronic and information security.

Currently I'm interested in working with the following "sexy" areas of infosec:
- DLP implementation
- Security design for SaaS offerings (my business is 95% in the "cloud")

I'm launching a web application security assessment with business intelligence (WASABI) supported by a web application called KATANA (that doesn't stand for anything as yet, suggestions welcome) and am writing a sample enterprise security architecture called SHIRO (that's japanese for castle in case you were guessing)

Some of the things I am looking forward to work wise are:

-Going to blackhat in las vegas next year and RSA in san francisco the following year. Looking forward to catching up with many colleagues I have only worked with virtually.
-working in perth, my hometown for stints
- learning more python maybe some ruby
- doing some training with immunity inc.
- doing more with the Australian Information Security Association
- developing my start up, the Centre for Application Security http://www.appsecratings.com
- bringing the unique services of overseas consultancies to the Australian market

Some of the things I am enjoying about contracting are:

- running linux as an OS and open source applications such as open office (they sure are quicker and don't crash)
-using webmail exclusively with a massive storage limit
- carrying an eeepc rather than an IBM T41

What's your top three concerns?

2010-03-09T08:58:00.001+11:00

I was asked to name my top three infosec concerns the other day. What
I came up with was:

- Client side security
Its a battle to keep all of the 3rd party apps (think winzip, adobe,
vlc, microsoft word, etc etc.) patched for known reported
vulnerabilities, let alone the worries of 0day vulnerabilities. Most
enterprises have a 6 monthly patch routine hence there is often many
vulns in software that is in common use. Hence you can't ban the
types of attachments and downloads that contain the malware like you
could in the days of .exe and .vbs email attachment driven malware.

- Asset Management
Its a battle in a large enterprise to identify what critical business
processes you have let alone what devices you have on your network or
what apps you have and which ones of these are
internet/customer/business partner facing. The security team can't
secure what they don't know about. Port scans may help identify what
systems there are out there (to some extent, large network ranges are
hard to scan safely), but what apps are on these systems? Its a sad
state of affairs when your firewall configuration is the only source
of information about what internet facing apps you have. What about
web apps your marketing department has contracted to have hosted by
web development companies? What about business partner routers
connected directly to your internal network?

- Decreasing effectiveness of controls
Firewalls are less effective as everything can be tunnelled through
your outbound web proxy server over HTTP
Antivirus is less effective as criminals are writing custom remote
access trojans and testing them with the software (these are
professionals not pranksters).
IDS and IPS are less effective due to encryption, obfuscation of
shellcode available in all exploit development frameworks.
Web and email content management is less effective due to fast flux
hosting of malware and due to malware being sent in attachment MIME
types who you need to accept (i.e. .zip, .pdf, .doc, .xls) or which is
encrypted (i.e. Winzip file with password)

--
Sent from my mobile device

Staying cheerful despite Barriers to Information Security

2010-03-03T09:00:00.008+11:00

Sometimes it's hard to be positive when you work in information security. I have noticed a number of my colleagues get very despondent that they are unable to change the status quo at their respective organisations.

I'm an eternal optimist, and I think it's the job of information security professionals to be constantly active in attempting to improve the state of information security. You've got to keep a ducking and a diving with the grace of Muhammad Ali, taking the opportunity for a tactical win when the rare opportunity exposes itself.

Some maxims that are useful to keep in mind:

1. Success is defined as having the information security program aligned with the business's desired residual risk level. Some notes to consider below:

management must make the informed decision to run "cheap, lean and risky" not be blindsided by security incidents
security done well can be a competitive advantage to a business by reducing the costs of doing business when compared to their competitors (i.e. reduction in losses and security cap-ex and op-ex with no increase in risk)

2. Funnel the kick-back from a security incident into a productive pre-planned effort. " Oh sir, we've responded well to the incident, however this could have been prevented by the use of a DLP program which we had on the budget request last year".

3. Most intrusions (according to the 2009 Verizon Data Breach Investigations Report) are due to year old vulnerabilities so don't focus on obscure stuff and forget the basics like secure configuration/deploying security patches/ squishing SQL injection vulnerabilities.

Some common challenges encountered and tactics to consider:

when "bottom up" vulnerability management efforts stall due to business application owners not approving costs/outages for secure configuration/patching/remediation of application security issues try "top down" approaches such as developing a security charter in conjunction with executives and then from that developing a security policy set (aka ISMS) that requires "vulnerability management"
when information asset classification efforts are failing due to lack of business process documentation and inventory and asset management processes, try some inventory activities yourselves (i.e. some port scans) and share the results with the operations team to kick-start efforts.

If some more problems and tactics come to mind I'll re-edit this post later on.

What works - Incident Response

2010-01-28T13:34:00.000+11:00

Hello,
Had a chat with a lovely analyst the other day doing a briefing paper for his clients and here were a few lessons learnt I have picked up;

*It's all about the CSIRT

The Computer Security Incident Response Team is who gets called to help when a security incident is identified. Often security incidents are identified due to an outage or degredation in performance through standard ITIL style incident mangagement processes.

The CSIRT should comprise a virtual team (who have been pre-warned and educated as to their roles) of security operations personnel and IT operations personell (desktop, server, network, app support and database). A "management team" of media liason, legal and senior managemement should operate in parallel and concentrate on communications and public relations.
One method in use is to have a conf call running for the tech team and have a comms person dial in every 30 mins to gather intel for a sitrep for the "management team" so that the CSIRT can get on with responding to the incident rather than returning calls from senior management and producing status updates.

*A preemptive media blitz

Having a pre-approved press release all ready to go in case of customer impact is a good idea IMHO as this will pre-empt bad press. In this day of twitter driven instant communications waiting for half a day to get the message out is far too long.

*Build in resiliancy

Have a hard copy CSIRT manual available with an insert with the latest numbers of the CSIRT members and issued to the IT Help Desk and CSIRT members. This manual and your intranet should reference a contact number (ugh for the hellphone I mean cellphone) that the security ops team will carry on a roster and an email address like csirt@company.com that is CC'd to all current CSIRT members.

*Have a plan of attack

For commonly anticipated incidents have a brief plan of attack documented in the CSIRT manual. Don't go overboard and the process followed should be sanity checked by CSIRT members at each stage during the incident.

*Liaise BEFORE the incident so you have a friend to phone

Identify who you may need to contact in case of a security incident and make friends. This will help you later. This could be your bank, CIO of customers, govCERT, AHTCC, local computer crime unit etc. Who you contact may vary based on your organisation and the type of incident you experience. For example finding illegal content on a computer may require you to call local law enforcement. Experiencing a sustained DDOS attack may require you to call your telco. Fraud conducted via computer maybe your bank and local fraud squad etc.

* Know where to get your intel and practice

Do some exercises based on your commonly anticipated attacks and figure out where you can monitor outbound traffic from your desktops etc. so that you can take actions based on facts not hunches.

*Outsource the forensics

Once you know you have a significant incident on hand that is likely to result in employee dismissal or a civil or criminal case, call in a professional computer forensics team who can independently capture, analyse and present in court the results and stand up to intense cross examination.

*Prepare to capture the info

Think about what incidents you are likely to encounter and hence what logging needs to be turned on. Stream the logs in real time over an encrypted channel to a secured central log server, so that an admin can't tamper with the logs. Sync up all the time sources to the same timezone and time server.

Comments welcome from experienced first responders!

Twas the night before Christmas

2009-12-25T06:43:00.004+11:00

An ode to all two infosec people who are keeping the home fires burning over the holidays. May your pager never beep on this specialy day!

Apologies to Clement Clarke Moor - Twas the night before Xmas

Twas the night before Christmas, when all through the office
Not a creature was stirring, not even an optical mouse.
The security budget request was hung by the chimney with care,
In hopes that St Nicholas soon would be there.

The admins were nestled all snug in their beds,
While visions of playstations danced in their heads.
And mamma in her ‘kerchief, and I in my cap,
Had just settled our brains for a long winter’s nap.

When out on the IDS there arose such a clatter,
I sprang from the bed to see what was the matter.
Away to the pager I flew like a flash,
booted and VPN'd in like a dash.

A botnet was built from whoa to go,
through the monitored web proxy its C&C did flow.
When, what to my wondering eyes should appear,
But a CSIRT, incorporating many security engineers.

With a little security leader, so wizened and old,
I knew in a moment it must be the CISO.
More rapid than eagles his direct reports they came,
And he whistled, and shouted, and called them by name!

"Now Analyst! now, Crypto Guy! now, Compliance and Tester!
On, Consultant! On, Communications! on, on IDS dude and Forensics!
To the SEIM solution! to the firewall!
Now dash away! Dash away! Dash away all!"

And then, in a twinkling, I heard on the keyboards
The tappering and twittering of each little hoof.
As I drew in my head, and was turning around,
Into the incident room came the CISO with a bound.

He was dressed all in casuals, from his head to his foot,
a surprise as his team had never seen him without his suit.
A bundle of caffeinated drinks he had flung on his back,
And he looked like a peddler, just opening his pack.

His eyes-how they twinkled! his dimples how merry!
His cheeks were like roses, his nose like a cherry!
His droll little mouth was drawn up like a bow,
And the beard of his chin was as white as the snow.

The stump of a pipe he held tight in his teeth,
And the smoke it encircled his head like a wreath.
He had a broad face and a little round belly,
That shook when he laughed, like a bowlful of jelly!

He was chubby and plump, a right jolly old elf,
And I laughed when I saw him, in spite of myself!
A wink of his eye and a twist of his head,
Soon gave me to know I had nothing to dread.

He spoke not a word, but went straight to his work,
And patched all the workstations, then turned with a jerk.
And laying his finger aside of his nose,
And giving a nod, the CIO he called!

He sprang to his car, to his CSIRT gave a whistle,
And away they all flew like the down of a thistle.
But I heard him exclaim, ‘ere he drove out of sight,

"Happy Christmas to all, and to all a good-night!"

2009 in review

2009-12-09T22:13:00.001+11:00

Breaches

Gonzalez aka Soup Nazi caught and responsible for some of the largest breaches of credit card data over the last year or two.

RBS Worldpay - Criminals breach a payroll system that pays employees via debit cards. They jack the limits, burn the card data to new card blanks and then withdraw millions simultaneously at multiple locations around the world.

Technologies

Automated Source Code analysis software from Fortify, IBM and HP hit the big time helping secure web applications against the most common threat vector - SQL Injection or now SQLi for short :)

Data Leakage Prevention fizzled with many CISOs not really wanting to go a Career Limiting Move by highlighting to management how broken business processes are and how much personally identifiable and confidential data is stuck on insecure file shares and shuttling around in email attachments.

Legislation, Regulation and Compliance

We got some new laws to make ATM and credit card skimming illegal?

PCI-DSS continued on with an increase in compliance validation requirements for level 2 merchants thanks to MasterCard.

Customers beware - security "consultants" to avoid

2009-12-01T09:30:00.004+11:00

Some tweets from @jack_mannino raised some strange feelings and thoughts that I wanted to express about some of the types of people that raise my ire in the security consulting industry:

Public enemy number one - the "nessus cut n paster"

Its all good to use nessus or OpenVAS as it helps shorten the process of grabbing banners with nmap and using google/secunia/mitre to find out publicly reported vulnerabilities about the network services in use (which we pretty much end up doing anyway!). We all use nessus as part of our suite of tools but you shouldn't just use nessus! And you definitely shouldn't just append the raw scan results as an appendix with a covering letter! Your client deserves you:

confirm that the reported vulnerabilites actually provide a risk (i.e. are the vulnerable modules on that webserver actually in use or is this a false positive)
provide some interpretation and an indication of how easy this vulnerability is to exploit based on your knowledge and experience (i.e. how likely is it that the client be attacked by an SSL MITM attack) and any compensating controls that are in place
provide pragmatic recommendation on how to address the issue (i.e. a link to technet article etc.)

Oh its worth adding, running nessus does not test web applications! It may test the configuration of the web server software but not the susceptibility of a custom web application to SQLi etc!

The "nessus cut n paster" leaves you feeling conned and frustrated as you paid too much for an assessment you could have performed yourself. You have to investigate each of the issues to identify if you should bother fixing them and find out how to address them.

Public enemy number two - the "over caffeinated try hard hacker"

This guy is someone who has just read "Hacking Exposed" and instead of building himself some vmware virtual machines and trying out what he is learning on them, he wants to "play hacker" on your network. On an external network he will focus on "cool and neat" vulnerabilities and forget to report "boring" vulnerabilities (the ones you are likely to get pwned by). On an internal network instead of focusing on testing key controls that secure critical applications (e.g. database listener passwords) he will do crazy stuff like pwning workstations with metasploit and looking for pirated games/music/pron to take home.

The "over caffeinated try hard hacker" leaves you bemused wondering what the hell happened, rebooting boxes and apologising to executives whose email accounts have been ransacked.

Public enemy number three - the "talky talky consultant"

This Svengali like consultant mesmerises you with talk about risks, approaches, ISO standards and buzzwords however never gets down to the discussions you want to have like:

what are my critical business processes and what applications, infrastructure and information assets are associated?
what are my key controls?
how do I test them and record the results and supporting evidence?
what should be in my security plan to improve my key controls?
how do I tweak my policy to address new risks?

The talky talky consultant often leaves you stuffed and slightly boozed after a long lunch wondering what value they actually added to your organisation and trying to find a deliverable to justify to your management why you engaged this clown in the first place.

Tips to Countering the fallout:

Make sure your security consultant has scoped the required work well and documented the scope in a contract or engagement letter in enough detail. It should be clear that work outside the agreed scope is not to be undertaken without express permission (i.e. running exploits, scanning other systems apart from the defined target systems)
Make sure if an assessment is being provided that the criteria for the assessment is detailed in the engagement letter and provided in the report
The contract or engagement letter should also describe the required deliverables for each phase of work in detail and the requested structure and content of the report
Ask for a sample report, mark it up and return it if it doesn't meet your needs.
Ask for regular updates on activities and require that they be provided so you can keep tabs on what is going on.

What does 2010 hold for us infosec types?

2009-11-27T15:39:00.003+11:00

I would like to see some of the following happening in the new year in Australian organisations in order for them to address key risk areas:

Application Security programs

Implementing trust but verify gates into the SDLC for security risk assessments, requirement documentation, static source code analysis, functional and vulnerability testing
Risk based testing schedules for applications in production that test the key controls in the applications (i.e. test critical apps in a detailed manner each release/year, with a rolling schedule of vulnerability testing for low criticality apps)

Tactical Security Infrastructure projects

Large scale Data Leakage Prevention (DLP) deployments with associated business process remediation
Virtualisation and rationalisation of perimeter security infrastructure
Logging Monitoring and Reporting programs with integrity monitoring implementation and enablement of logging in end devices and configuration of alerts on central monitoring software.

( I doubt organisations will be kicking off large difficult projects such as identity & access management projects next year due to the after effects of the GFC and a hesitancy to launch projects that won't have a "quick win")

Security Management initiatives

furthering development of good asset management, change and release management processes so that the outputs can be used to drive appsec programs and vulnerability management processes.
pragmatic Information Asset Classification and Labelling (which could be facilitated by DLP used to discover information assets)
Security awareness and induction training

What I suspect I will see is the following:

DLP product sales that expect rollout and management by BAU resources forgetting that DLP will identify broken business processes and systems that need to be remediated and that well organised support mechanisms will be requried to prevent disruption to one off business processes
the compliance driven annual penetration test will now involve web application security assessment of a sample application bundled in as an optional extra
writing of security policies only to satisfy audit findings that are destined to become shelfware due to a lip service approach to security
refreshes of end of life perimeter security infrastructure forced by capacity driven outages and a lack of vendor and system integrator support
purely top down risk management initiatives that do not progress beyond the generic due to a lack of expertise amongst those performing the risk assessment

Any thoughts from out there in the blogosphere and twitterverse?

DLP implementation process

2009-11-17T22:18:00.003+11:00

I suggest that the following phases be considered in implementation of a Data Leakage Prevention Solution.

Asset discovery

Use your DLP suite to help you discover information assets on desktops, file shares and in intranets and extranets.

Asset classification

Leverage the suite to assist you in classifying the information assets discovered. Don't forget to classify the systems on which the assets reside!

Establish implementation team and support structure

You need resouces to design, implement and most importantly tune and respond to "false positives". Establishing a 1-800-DLPFIX number might be a good idea or at least documenting procedures for the help desk to handle common queries and escalate to the DLP team to respond to. Ensure that web based training is developed and that line managers are tasked with re-training personnel that will ping the DLP.

Design

Consider all points of egress USB, CD/dvd burner, webmail, instant messenger, email in the design. Remember you are mostly planning to catch accidental disclosure. Consider where SSL tunnels will terminate.

Consider use of the 1800 number in warning notices that will get turned into block notices.

Implement

Drop in the appliances on the gateway and the software on the desktops. Do a test of each point of egress with a test file, using encrypted and unencrypted webmail etc.

Monitor

Configure the DLP in monitoring mode with all signatures enabled. Do not alert end users at this stage.

Fix Broken Business Processes

By using the DLP solution in monitor mode you will now be able to identify broken businesses processes. For example PII being un-necessarily shuffled around on fileshares or credit card numbers being emailed due to a lack of system interfaces or even systems!

Tune

After you have remediated the business processes to a point where it makes sense to do so, then its time to tune the false positives out

Training

Roll out web based training for all personnel who will be affected prior to end users being alerted by the system.

Alert

Now enable warning messages for end users for each of the selected rules you wish to enforce. A click yes to proceed and a notification to contact the DLP team if there is a valid reason that this action must not be blocked in the future. During this phase the DLP team must be monitoring logs and liasing closely with stakeholders as to their contents. The alert period must be long enough to pick up any month end or FY end business processes such as shuffling of spreadsheets with billing data around.

Enforce

For the rules that are to be enforced, enable them after suitable fanfare and comunication to stakeholders. Use muliple channels such as voicemail, email, flyers and posters to get the message out.

Tune and Respond

There will be incidents discovered, leakage prevented, false positives to tune out and apologise for!

Virtualised Perimeter

2009-11-17T20:50:00.001+11:00

I drew the following as I wanted to start investigating how you might really push the limits in virtualising the perimeter.

Risks I was considering in the design were:

- guest to hypervisor (jumping from a vuln in the load balancer appliance/firewall/webserver to the hypervisor and into the database tier)
- accidental misconfiguration of database tier into web tier

Design considerations made:

- backup network for backup of server snapshots
- replication of database on SAN between production and DR datacenter
- "virtualised out of band management"

Keen to have some feedback and constructive criticism of the design.

I was thinking for the technology mix something along the lines of:
IBM blade servers
Windows 2003
EMC SAN
Vmware firewall (Vshield?)
Tripwire
HIDS

Rich Picture of the state of web application security

2009-11-17T20:30:00.001+11:00

Here's a first bash at the diagram. I was hoping to show on the diagram (along the lines of the seminal one in the Microsoft "Road Signs" paper):

- Current attacks from a "drive-by" and "targeted attack" perspective
- Security Controls (authentication, session management, input validation etc.)

Scoping a web application security assessment

2009-10-27T09:10:00.001+11:00

Some tips below for scoping security assessments of web applications:

*If its a small web application and its an authenticated black box assessment, a brief understanding of the application's functionality (i.e. business logic )and the number of pages and fields will be enough to scope it. As the application is small you just test everything with full coverage. Testing to pre-defined holistic criteria aligned to key security controls is the best way to get the coverage over the vast array of vulnerabilities that result from failure of these key controls.

* If the application is large and complex then you will need to take a risk based sample based approach. If it is say a banking application you may need to test everything, If its a less risky application you may be able to test a sample of functions and a sample of fields in these functions.

* The approach I take in scoping large complex web applications is along these lines:

- conduct a risk assessment, identify the key threats to confidentiality, integrity and availability and the functions that an attacker would need to abuse to do this, (think parameter manipulation )and the key controls accross the application (e.g. Authentication, session management and input validation) that prevent such attacks. You will need information such as architecture documentation, application use cases etc. to understand the application in order to risk assess it.

- The next step is to write a test plan so that stakeholders know what the approach is to testing, what will be covered and what will not. The test plan should also outline what test data and test environments are required. On big projects it is also important to stage testing in line with the application's development so all defects are not identified at the last minute with no time to remediate before go live. The integration of static code analysis during the development should be considered and complemented with manual targeted web application testing of key controls. (i.e. Use SCA to test if input validation function applied to all fields correctly and then manually test the input validation function for vulnerabilities).

- After the test plan has been written, then you can accurately scope the assessment in terms of effort and hence cost.

Thoughts on David Rice and understanding the infosec customer

2009-10-20T18:07:00.000+11:00

David Rice of "geekonomics - the true cost of insecure software" fame just did a keynote at the govcert conference expousing the benefits of understanding the security industry's customers .
He shared some very valid thoughts with us, namely:

* There is no one size fits all "platonic ideal" of a security program. Each organisation has a different risk profile and risk appettite and requires a different approach. There is no one perfect security programs but perhaps there are many perfect security programs.

* By understanding who are "customers " are and by conducting detailed analysis of our "customers" wants/needs/buying process etc. as an industry we can develop tailored "products" for them. By products I mean legislation, regulation, standards, blueprints, technical protocols etc.

* This will help the security industry mature and better meet the needs of its customers and identify untapped pockets of growth.

If I was going to start doing some "horizontal segmentation market research" for the security industry some of the market segments I would be likely to identify would be:

CONSUMER

Internet Connected Pensioner
Mum and Dad
Gen X slacker
Hyperconnected Gen Y

SME

Risk unaware one man band
Risk adverse One man band
Risk embracing One man band
Risk embracing growing young company

Risk adverse static small business

ENTERPRISE

Infosec manager
Undertrained Infosec analyst
IT project manager
Risk adverse Business line manager
Risk embracing Business Executive
Overstressed IT Operations manager
IT nerd

GOVERNMENT

Law/Business background legislator
Cybersecurity Czar
Technocrat

By analysing the wants and needs of these market segments in more detail perhaps we may be able to;

* identify legislation that matches the risk profile and risk appettite of the organisation and the market segment

* package up security policy, procedure and technology suitable for market segments that is actually attractive to the end users (perhaps from a fear sell to a greed sell to coin Schnier) and is not what we think they want but what they really want.

* Develop "marketing approaches" that resonate with the customer and educate rather than FUD and hoodwink tactics. E.g. Address legislators valid concerns about child protection online with actually effective approaches

great interview with shipley on risky business re soupnazi

2009-10-15T09:29:00.004+11:00

There was a fantastic interview with Greg Shipley in the latest risky.biz podcast #126 . Quick recap below:
*Pretty much Lots of large corporates got owned, over 100M credit cards stolen. Why did this happen?

*Base assumptions were made on effectiveness of control technologies by C suite i.e. we passed PCI-DSS, have firewalls, vulnerability assessment, IDS and antivirus hence we are safe.

*Shipley recommends the use of information risk register in IT function and application of compensating controls when security controls not effective

*IT can't convey technical risk effectively to management .

*Most organisations haven't mapped critical processes to data sets to systems and supporting infrastructure so additional controls such as network segregation and increased monitoring can be applied.

*until CEO knows what questions to ask CIO to identify if corporate data is safe we still have a problem.

I had some thoughts on the control technologies mentioned:

*firewalls - holes are punched through the firewalls to allow access to the applications that contain the critical data (e.g. Http to web app server, from web server to app server from app server to db server.) Hence security reliant on the controls implemented in these interfaces and any unpatched and 0day vulnerabilities (e.g. Input validation in web app, method of database connection, database listener patching)

*vulnerability assessment - vulnerability assessment is only effective if the vulnerabilities identified are actioned. In most organisations getting traction on better patch management and comfiguration management is an uphill battle without a clear business case and executive support.

*IDS - IDS has to be correctly placed so that traffic can be sniffed (i.e after where SSL tunnel terminates). Most organisations have NIDS only that is badly placed, badly tuned and non-monitored.

*audit logs - audit logs only detect usage of legitimate functions usually by authorised users, not OS compromise. Also once server compromised logs can be wiped if not centralised on a secure server.

*anti-virus - only detects variants of known families of remote access trojans does not detect custom crimeware much of which now is written and tested to avoid AV.

*PCI-DSS - no matter how gun your QSA is, it is only a point in time assessment and the QSA is an outsider unfamiliar with your environment. If actually performing the audit procedures required, (rather than a chat and issuance of a report as is rumoured to occurr ) He/She will check you do not have plaintext cardholder data in your database . You however can turn on diagnostics 5mins after they leave to troubleshoot an issue, forget about it and next thing you know there are half a million PANs in a text file easy pickings for anyone who cranks up metasploit (and has access to the network)

My thoughts on questions for CEO to ask CIO:?

*what % of IT budget is allocated to infosec ?

*do we know what our critical business processes, information assets, applications and supporting infrastructure are?

*of these critical applications and infrastructure, are we testing the protective security controls and are they effective in reducing the inherent risk to a level I would be happy with?

*are there additional trustworthy detective controls such as integrity monitoring on these systems (i.e tripwire is the bomb)

High level application security requirements

2009-10-06T12:27:00.001+11:00

Hey ISO wouldn't it be handy to have a set of high level security requirements for business applications, with a list of security controls maybe on a sliding scale based on the risk of the application ? I propose the following for the high level categories (can't have too many so have consolidated similar ones):
-secure authentication and session management
-secure authorisation and access control
-data canonicalisation known good input validation and sanitisation for storage and output
- logging, monitoring and reporting
- interface authentication and encryption
- data at rest encryption and database security

Maybe I should have a look at orange book/common criteria etc. ?

Criteria for evaluating a cloud services provider

2009-10-05T13:30:00.000+11:00

Was having some ideas about how cloud services providers could turn their investment in security into a compettitive advantage. For this to be accomplished there needs to be a frame of reference established.

So here are a few criteria for evaluation of SAAS vendors as a series of questions:
* have security requirements from legislation (e.g. Privacy act), regulation (e.g. PCI-DSS )and relevant best practice (e.g. ISO 27002 )been recorded?
*has a security architecture been developed, that considers both application and hosting infrastructure?
*does the application security architecture leverage the security functionality available in the application development framework?
*have security controls been tested functionally?
*has static code analysis for common security vulnerabilities been performed?
*has security functionality in framework been implemented?
*have security controls been tested for vulnerabilities by a qualified 3rd party?
*are release, change and configuration management processes in place?

Information security function governance maturity

2009-10-03T07:28:00.004+10:00

I've observed the following evolution from information security functions over the years as they grow in maturity. I've represented this evolution in maturity below in a series of statements, paraphrased from many discussions from many organisations. Keen to get people's feedback, and more submissions of similar statements and where they fit in the order below.

1. "What do you mean ? We've got security we have a firewall and antivirus?"

2. "So we have to comply with (insert compliance requirement here)? Well we better write a security policy on that"

3. "Gee we have a lot of compliance requirements now. We better start tracking them in a compliance requirement register so they get put in the policy".

4. That security incident wouldn't have occurred if people comply with the damn policy! How do we check they comply with the policy? Policy compliance checks that's how.

5. Hey there's a project over there, that could bring in new risks. Lets do a policy compliance check on it.

6. Hey it was good we did that compliance check there was non-compliance and new risks were being introduced. We better make a risk register to record these risks

7. No-one knows about the security policy, and they won't heed it! We better get some executive commitment in a security charter as they won't read the whole set of documents and do some security education.

7. No-one is fixing the policy non-compliances we are noting, we need to track them. Lets issue exemptions and put them in an exemption register

8. I wish all these projects would stop asking me how to comply with policy. Maybe we need an enterprise security architecture to show them what to do?

9. Its hard to translate the security policy into an enterprise security architecture, maybe we need some specific purpose standards and some guidelines?

10. Darn, that security incident occurred in an existing system/business process! Maybe we should do compliance checks on all the Business As Usual (BAU) systems?

11. AArgh! There are so many of these BAU systems! we need to record these and identify the critical ones so we can start on the most important ones first. Wish we had some asset management and data classification in place

11. Wow there's a lot of information assets, how are we going to classify all of these? Lets get someone embedded in each business unit to help us with this.

12. What about business processes, they create the information assets that go into the systems that make the systems critical. We'll do risk assessments on business processes to help us identify the critical systems!

13. Wow we've got a lot of risks in risk registers for each business unit and they are all written differently, it would be good to get an enterprise view of this. We need to build/buy a risk management system pre-populated with risk descriptions.

14. The policy and standards represents controls, maybe we should identify the key controls and test them and put the risks in the risk management system.

15. Too many spreadsheets! I wish I could standardise all this control testing, can we put that in the risk management system?

16. People are saying we say no too often and too late in the project lifecycle. How can we engage with the business better? I guess we could empower projects to set their security requirements, conduct their own risk assessments and control testing? Trust but verify! It works for Microsoft!

Integrating information security into your business processes

2009-09-19T21:39:00.000+10:00

Just thought I'd jot down a list of ways in which you can embedd information security practices in business processes and "be an enabler not a blocker "

- Changes detected by integrity monitoring with tripwire or similar can feed into change management processes to help identify security incidents to further investigate and non-compliance with change management procedures. Administrators making unauthorised changes to production is a high risk and can easily result in extended outages.

- Security patterns should be part of enterprise architecture, so that solution architects can copy them and tailor for the solution to maximise re-use of infrastructure and reduce complexity.

- Provide templates and instructions for risk assessments, security test plans and security reports so that project managers and test managers can be empowered to perform security tasks on a "trust but verify" basis with security to assist .

Anonymous, DOS of pm.gov.au

2009-09-14T11:53:00.007+10:00

In case you haven't heard, in response to the Australian government's proposal to implement mandatory internet filtering, the Prime Minister's website was subject to a minor Denial of Service (DoS) attack by a group of internet malcontents called Anonymous. Our PM is called Kevin Rudd, affectionately I will refer to him as KRudd in this post.

http://www.theage.com.au/technology/security/rudd-hackers-escalate-threats-against-govau-websites-20090911-fk2x.html

http://www.theage.com.au/technology/security/hacked-by-hoons-how-attack-on-pms-website-unravelled-20090910-fipj.html

http://www.crikey.com.au/2009/09/10/pm’s-website-hacked-no-just-script-kiddies/

And a quick note media, if you had googled Anonymous you would find that it is not one individual "hacker known as anonymous", but a "loose coalition of Internet denizens" "doing it for the lulz".

I like the following quote, it sort of reminds me of "flash mobs" http://en.wikipedia.org/wiki/Flash_mob and the "Stand Alone Complex" from Ghost in the Shell and even the Panther Moderns from Neuromancer

[Anonymous is] the first internet-based superconsciousness. Anonymous is a group, in the sense that a flock of birds is a group. How do you know they're a group? Because they're travelling in the same direction. At any given moment, more birds could join, leave, peel off in another direction entirely.
—Landers, Chris, Baltimore City Paper, April 2, 2008.[6]

http://www.abc.net.au/news/stories/2009/09/10/2681642.htm

I guess its one of the good things about Australia is that we just don't really care much about our politicians. We've got royalty already, the original British kind. We don't need our politicians to look good and say inspiring stuff. We just want them to stay out of our way and continue to run universal health care, state funded mental health care etc etc.

If Obama's website had been taken off the air, the Yanks would be starting operation sundevil part 2 maybe with or without waterboarding of "digital terrorists"? When our PM's website got DOSd probably a DSD graduate had to cancel a saturday night out and go check some logs down at a hosting provider.

Of course Obama can't get DOS'd too easily because whitehouse.gov is distributed out over lots of Akamai web servers around the place. Our PM's web site is hosted on say a single windows 2008 box down at Macquarie Telecom ( lowest compliant tenderer I bet ) http://toolbar.netcraft.com/site_report?url=http://www.pm.gov.au

So c'mon Aussie, let's all band together to hook up KRudd a website with bulletproof hosting, so that in case of ummm invasion by our northern neighbours or something he can still get a message out. If Krudd does have something to share of importance, his twitter account with a link to pm.gov.au is going to get the word out quicker than any media outlet.

I hear Telstra have a DoS protection solution, perhaps the new Telstra CEO could extend an olive branch? http://www.telstraenterprise.com/SiteCollectionDocuments/Brochures/TEGO1269_DOS_Web.pdf

Today Tonight Senetas and MAN/WAN eavesdropping

2009-09-12T21:42:00.004+10:00

So Today Tonight did a story called "The Big Take" http://au.todaytonight.yahoo.com/video#

Have a watch and share in the anger provoked by unmitigated vendor Fear Uncertainty Doubt (FUD) sell. Pretty much it featured some guys from Senetas (who I remember best from one of them embarrassing himself at a professional association by pretty much heckling a security professional from a banking institution during question time after a fantastic presentation he had delivered).

Well in the story they demo'd tapping a fiber optic cable (whoop de fricking doo, you can tap the copper out the front of your house with a linesman's handset as well) and running a sniffer.

Then they packed up the gear in a van and donned workmen's gear and went for a tour around Sydney. The video shows them posing for the cameras with an open laptop on top of a telco cable pit, and using some cable snips on a cable etc. Then the "reporter" makes some insinuations about fiber connected ATMs and diagrams within buildings (OMG the sky is falling!! quick buy some expensive hardware encryption devices to go on each end of my MAN links).

So what are you going to get if you start tapping a telco link in a CBD cable pit?

Umm well you will probably have multiple customers going across the link, probably ATM maybe SONET. Maybe even ethernet over MPLS over ethernet on fiber. So what are you going to use to decode all that and how are you going to make sense of all the exchange server replication, SMB chatter etc. etc? Wireshark just aint going to cut it.

Not as easy as putting a sniffer on and looking for known plaintext (like in the demo the Senetas whores benched up)

Database replication these days is even trickier to intercept with SAN snapshots replicating over fiber between datacenters using proprietary protocols.

Remember that most sensitive Personally Identifiable Data like cardholder data is submitted via web forms that are encrypted with TLS (oh and PIN blocks are encrypted with 3DES, not that that there are many if any Metropolitan Area Network connected ATMs around anyway). Didn't see them cracking out Dug Song's webmitm and arp-spoofing gateways (now that would be a challenge with all the Layer 2 wackiness going on on a MAN). You'd be camped out for a month in a cable pit to get that working and capture anything worth-while.

Then what if someone has just put some host to host IPSEC in (windows servers can do that you know out of the box, it's even in the MS guide) or a VPN over the MAN/WAN?

Overall it sounds simple to the layperson, but in practice its impractical. Best case you could write some custom software to record a few credit card numbers flying by in _email_.

Now what they could have reported on would be the risk of someone taking an axe to some fiber in a metro area, much more likely to occur and more damaging. This has happened in a number of places and even in Tasmania I believe

IMHO unless you are a global organisation who has to worry about nation state sponsored corporate espionage or you are in the defence/intelligence community don't worry about this fantastical theatrical issue. If you are in that category why not wack a digital certificate into your email clients (they all support S/MIME these days) sign some emails and add your colleagues certs to your contacts in your mail client and enjoy secure communications by default.
A bit of IPSEC VPN might not go astray either if you're in that category.

I suggest the next time anyone sees "journalists" or vendors prancing around breaking the law, prising up cable pit covers, etc. call the cops and you-tube the whole debacle.

Technical Clarifications/Comments/Flames/Tin Foil Hat wearer conspiracies welcome

Back on the air with securitybloggers.net ?

2009-09-12T20:15:00.002+10:00

Got a few bees in my bonnets to share so wanted to get this out there. Before I forget things that have made me angry:

- today tonight and senetas going all FUD to get ratings and sell optic fiber encryption hardware to private sector
- Our prime ministers website getting DOSd for the second time this week (have we no pride Australians??!!)
- the poor state of public website security (in general). Why oh why is it so hard to validate input on brochureware sites!

Security is an extension of good systems administration

2009-08-14T11:27:00.002+10:00

Attended a great meeting at AISA yesterday in which Dr Caroline Allison made the excellent point that the correct operation of an IT system is key in the admissability of audit trails as evidence.

This really pointed out to me that change management, release management and incident management processes (and systems and documentation) are key to making sure that you can state that IT systems are running as expected during the period of time in which the incident in question has occurred.

For example under cross examination the IT manager could be asked all these sorts of questions that he may not have the answers to such as:
- Was logging working correctly during the period of time that the incident occurred?

This also got me thinking how infosec activities should be embedded in these base (ITIL like) processes, for example:
- Change management - looking for unapproved changes by comparing say tripwire reports to change records and escalating to infosec department's CSIRT
- Release management - implementing gates for risk assessment, checks of security requirements, source code analysis, functional security acceptance testing and vulnerability assessment
- Incident management - engaging infosec as part of investigations into un-explained outages and incidents of human error, which may help identify users/developers/testers with excessive access rights

what do you need to know to work in infosec?

2009-06-08T07:31:00.007+10:00

Here's a list of things that are really handy to know for the day to day business of information security. Note, if you know how to do these things then learning to review them is simply applying "audit methodology". Hope this list will be useful for myself as a refresher and to others wanting to further their skills:

1. TCP/IP basics like OSI model, routing, protocols, ports, NAT
2. Construct a checkpoint firewall rule base
3. Construct a PIX firewall rule set
4. Configure a cisco router to CIS benchmark
5. Configure VLANs and port mirroring on a cisco switch
6. Deploy Microsoft security templates to a group policy object
7. Configure a WSUS server and run MBSA to check it is working
8. Use Solaris Security Toolkit
9. Administer a linux box, enable/disable services, use package managers etc.
10. Install oracle and mysql
11. Be able to construct an SQL query or two
12. Configure a web server or two (say apache and IIS)
13. Configure an application server or three (say tomcat, websphere application server, maybe BEA weblogic)
14. Be able to use a web proxy (burp, webscarab) and a fuzzer
15. Know how the following security controls of authentication, session management, input validation and authorisation are implemented securely for a number of application development frameworks
16. Configure an IDS or three (Snort, IBM solution set)
17. Know the ten domains in ISO27002 and their content
18. Be able to identify control gaps from ISO27002 in your operations
19. Be able to build a security plan to address control gaps (planned end state, costs and benefits, dates, actions and responsibilities)

User generated content and i-catraz

2009-05-27T09:21:00.003+10:00

Just was advised of a site called phishtank. Its pretty useful since www.antiphishing.org stopped archiving phishing emails.

It got me thinking how useful user generated content, the best thing about web 2.0 is becoming. If there is enough of a need its amazing what the community can come up with.

I'd like to see a virtual tar and feathering web site too for cyber crims :) Maybe that could be i-catraz as Eugene Kapersky alluded to at AusCERT.

No internet license for you!

Optimism vs Pessimism & Infosec

2009-05-11T09:36:00.001+10:00

So in the current market place you can look at things in an optimistic
light or a pessimistic light.
With our black hat on organisations will spend less on IT and hence
security. Large IT security projects (like identity management) won't
get the business case approved. Incidents will increase and the sky
will fall, etc. etc.

With our yellow hat on, the pause on large IT projects will allow
security teams to focus on business as usual processes and legacy
systems. The increased awareness of insider threat will allow infosec
professionals to progress with smart tactical initiatives (like DLP) .
No matter the perspective infosec was a necessary evil in good times
and will be necessary and even more needed in bad.

--
Sent from my mobile device

Utility Computing

2009-04-28T09:16:00.003+10:00

When will computing really become a utility? I expect when the following happens:

- Cheap uncapped High speed wireless with operating systems that boot off the net are commonplace
- Standards for web applications emerge that allow custom web applications to be coded and hosted quickly, cheaply and securely via a tendering application that helps specify business requirements
- internet access is regulated and outages are financially penalised by the government (as per other utilities).

web 2.0

2009-04-18T20:45:00.001+10:00

Geez there are some really interesting issues related to web 2.0. Location aware social networking like Google's Latitude. Corporate twitter in the cloud, aka yammer. Cross Site Scripting, Cross Site Request Forgery and Direct Object Reference will be common security problems in these applications.

Hot spots

2009-04-15T09:08:00.001+10:00

The following are hot spots for security researchers to focus on and infosec pros to worry about: Protocols that support internet infrastructure like DNS and BGP.
Web servers
Database listeners (if you own a web server, pivot off it and this is the next stop out of the DMZ, also all the data is in there :)
Protocols you just can't turn off or block if there is a worm, like SMB
Middleware and anything that transmits a password- if its not encypted its no good.
Crazy virtualisation near trust zone boundaries - misconfigure vmotion, SAN or load the wrong vm and you could have a database on the net

Cloud

2009-04-09T22:55:00.002+10:00

The use of the word cloud makes me want to punch people. Have you got cloud? ARRRGH!! Well was chatting with a few people today at the AISA chapter meeting about cloud (which is really just a jumped up re-brand of ASP, SaaS etc.) and mentioning how a colleague had told me of an organisation renting time on the Amazon cloud to do genomics number crunching (a 2 core server cost them 10c an hour or so) The conversation moved to old skool SETI at home, uploading vm's to run in the cloud (Gbs in size ouch), Ruddnet etc. The thing that made me LMAO was when Darren mentioned that crims do cloud the best. You can rent time on a botnet to do _whatever_ you want and way cheaper than anyone else (as the crims don't even pay for the infrastructure). Botnets I dub thee STORMCLOUD COMPUTING!

Conficker was a bust

2009-04-07T17:14:00.001+10:00

Hmm media and AV companies hyping a potential worm outbreak. So 2004. Doesnt anyone know that the game has changed? Researchers are all "no free bugs" or curtailed by EULAs, copyright legislation and MS bounties. Hence no proof of concept code lying around for idiots to turn into worms. Now the vulns are found by bad guys and used to send spam and steal credit card numbers.
Bad guys like to run under the radar. Wake up media and vendors.

think evil & build not break

2009-04-02T09:10:00.002+11:00

It was a pleasure to hear andrew van der stock present last night at the Melbourne OWASP chapter meeting. His presentation covered a few home truths about application security that I share:
think evil - perform risk assessments and concentrate on what matters.
controls not vulnerabilities - write simple secure code with good key security controls (i.e. canonicalisation and known good input validation), don't bolt on code to address vulnerabilities.
build not break - don't be a blocker be an enabler. Instead of saying no and raising a problem without a solution provide an easier and more secure option for the developer.
ban insecure functions from development frameworks

Insider threat

2009-03-11T09:04:00.000+11:00

How do you stop employees taking confidential information with them when you terminate their employment ,without annoying them so much that they do something stupid ? My thoughts follow . Classify information and label it . Store the classified data (eg customer list )in a system like a document management system or a database and restrict export functions. When terminating an employee remove access to these systems first . This may not be possible organisation wide (or you may be behind on this), so restricting USB devices via microsoft group policy , removing DVD/cd burners, restricting web based email may be necessary in some cases. DLP is only going to be useful if you know what data is confidential before hand so you can block it. However DLP could perform a role of a black box flight recorder helping you determine what has walked out the door and help you as an infosec pro quantify the extent of the problem. DLP has most benefit in stopping accidental leakage events or stupid attempts . The smart and determined will just print out the data or take a photo of it on the screen. But hey maybe the smart determined ones will still have a job ?

----  Sent using a Sony Ericsson videophone

Bad news for the economy good news for security

2009-03-06T11:14:00.001+11:00

Well the world economy is in the toilet , this we know . However there is a silver lining to this for the security industry. Increased insider threat will push business cases for data leakage prevention solutions and increased associated services like computer forensics (think customer lists walking out the door to compettitors ). Information security will share the pain of large projects getting put on hold or not getting approval to start. Also for the professionals the amateurs will shake out as the pros refine their service offerings to meet the changed client needs while the amateurs get stuck in a downward spiral on rates on commodity services like infrastructure pen tests and "security reviews". Also consolidation will drive better services to the customer with larger providers being able to offer more of a" one stop shop "

----  Sent using a Sony Ericsson videophone

Academia and security

2009-03-03T08:34:00.000+11:00

Meeting some academics today to see if we can place a student. Often they are interested in crypto and IDS. In the real world crypto is bought as a peer reviewed API and IDS is a rack mount appliance . The challenges in industry are funding, education and doing the boring but important things right like risk analysis , software QA ,secure configuration and compliance. Hey i do do some activities in web application security assessment that researchers would be familiar with, like basic cryptanalysis such as known cipher text attacks to break trivial "proprietary encryption algorythmns" that are really encoding and analysing the random ness of session ids.

----  Sent using a Sony Ericsson videophone

LC6 is coming!

2009-03-02T22:08:00.002+11:00

wooo! I miss the LC. I'm kinda paranoid and like to crack passwords locally using rainbow tables I have generated rather than those web sites front ending rainbow tables.

I hope LC6 has some other password cracking functionality like VPN and WLAN pre-shared hashes and some more functionality for LANMAN hashes off the wire.

Hello Security Bloggers Network

2009-02-20T13:34:00.002+11:00

Hi there everyone on the security bloggers network. I'm a security professional who works in:
vulnerability management (infrastructure and web penetration testing, benchmarking and optimisation)
security management (policy, procedure and technical standards development)
infrastructure & operations security (secure configuration of devices, databases, operating systems and assistance with logging monitoring and reporting).

I'm always limited on time I can spend blogging , so I end up blogging whilst waiting for clients in foyers and when commuting to and from work. So most of my blog entries are related to my activities during the day and my reflections on the way home.

Exfiltration

2009-02-19T08:39:00.002+11:00

Currently it is very important to be monitoring traffic exiting your network to be able to detect remote access trojans that have not been detected by your anti virus .

I suggest restricting all out bound traffic from the desktop and inspecting proxy logs as well as web content management.

If you are a high risk target white listing only approved business web sites may be an option. You can always set up an internet cafe for users to surf fairly un restricted .

Without some of these restrictions it is too easy for the bad guys to write up a custom trojan (or just modify an existing one slightly )and slip it through your defences through a stored XSS in a trusted web site or even social engineer it through in a password protected zip file .

Bizarre security sticker

2009-02-18T07:49:00.000+11:00

Huh ? Are crims putting an explosive gas in atms to blow them open?

----  Sent using a Sony Ericsson videophone

The love of Backtrack 4

2009-02-16T09:05:00.001+11:00

Backtrack 4 now is in beta and it is a Ubuntu based distro. It is great to be able to use synaptic package manager and a bit of apt-get and apt-cache to load packages . Having a full set of wireless tools and all patched drivers etc is also a real time saver.

----  Sent using a Sony Ericsson videophone

Its hard to find spies to recruit when they have facebook :)

2009-02-05T15:23:00.002+11:00

I love this bit

“We've been expecting you, Mr Bond,” says the evil Blofeld, stroking his white Persian cat. “We saw your Twitter update.”

Social networking websites make recruiting spies difficult

Thanks to Serg for this one!!

Logs logs logs

2009-02-03T16:21:00.000+11:00

My advice for log management . Identify what could go wrong and then only log the activities that would be associated with that malicious activity (by enabling the devices to log these activities and sending them to a central log server under the control of the security department). Then establish alerts on a risk based approach only for those malicious activities that are of real concern.

----  Sent using a Sony Ericsson videophone

Criminals

2009-02-02T09:23:00.001+11:00

So what is the modus operandi of online thieves and other criminals?

Stealing credit card numbers ,selling them to others who make up fake credit card numbers and buy high value postable goods and resell them to turn the stolen credit into clean cash.

Guns for hire who steal customer lists to order or deny service to compettitors for unscrupulous business owners .

Extortionists who deny service to organisations on the fringe of legality.

This may explain why i am into testing web application security controls, load balancers, web application firewalls, IDS etc

----  Sent using a Sony Ericsson videophone

Not kidding about this heat

2009-02-02T09:04:00.001+11:00

Just to show that last image was not just an out of wack french car thermometer see attached chinese made $100 one

----  Sent using a Sony Ericsson videophone

It is hot

2009-01-29T19:19:00.000+11:00

Man its hot

----  Sent using a Sony Ericsson videophone

Tool Kit

2009-01-27T23:17:00.004+11:00

So you want to be an information security professional? Well what do you carry around? Here's my list:

Backpack - sign of a pro, you may need to carry two laptops down George St in the rain. (I prefer Crumpler).

Mobile phone - you need to be in touch. Turn off the push email to save your sanity.

3G card - so you can type proper emails on a proper keyboard.

Laptop - smaller and lighter is better, you need a CDRW

Blank CDs and DVDs - never know when you may need to give someone something

USB Key - big, bootable and encrypted. We have a web app toolkit that runs off a USB key.

Backtrack DVD - just in case you have a hard drive crash.

Folio - to put reports in to transport securely and crumple free.

Green tea bags - you don't know what they might have at the client

Water bottle - Sigg, so you're not drinking wacky plastic.

Pen - not too expensive

Notebook - it's a bit rude to take notes in a folio sometimes, esp in a casual setting.

Business Card Holder - the cards get crumpled in your wallet and you don't take your folio to the pub :)

PCI-DSS

2009-01-23T08:02:00.000+11:00

PCI-DSS is a practical standard if you comply with the spirit of the standard you will be well placed . By that i mean by implementing the controls in the standard so they are effective . For example monitor and tune the IDS and trip wire that the standard asks you to wack in instead of "set and forget" , update your SOE quarterly and modify systems to suit etc .

----  Sent using a Sony Ericsson videophone

Access to security tools

2009-01-20T09:27:00.001+11:00

Security tools (port scanners,vulnerability assessment software, exploit development frameworks,web proxies,fuzzers and debuggers etc) are like hammers . You can use them to beat your shields into shape or you can use them to wack someone on the head . Just like you need to be a lock smith before you can buy lock picks maybe we need a self regulation system ? Require a permit number before download and finger print the tool with the permit number . Make the tools send the permit number with each packet and maybe we will have a method of b*tch slapping script kiddies?

----  Sent using a Sony Ericsson videophone

Cross Site Request Forgery in the Wild

2009-01-15T14:28:00.001+11:00

Good read from Symantec

Builders vs breakers

2009-01-15T12:57:00.001+11:00

In my humble opinion this pen testing is dead meme and this builders vs breakers thing is coming from the same source.

Improve security by implementing key security controls in applications and building these key controls so they are secure themselves . By doing "stupid human tricks" and demonstrating that controls are not implemented we are just demeaning the profession. Poking holes in key security controls such as input validation functions and authentication functions in network protocols and providing patches (if source code available) or at least suggestions is valuable and a worthy pursuit

Pen testing is dead? Part two

2009-01-15T09:07:00.001+11:00

There aren't that many IT security literate people in organisations so when they need some assurance they are doing the right thing they ask a 3rd party with specialist experience for testing . The reality of the situation is that if someone is looking for assurance that they are doing a good job security wise they probably aren't . Some questions that security people often dont dare to ask or ask pretty much knowing the answers when approached to conduct a pen test include
% do you have a security policy
% do you have up to date technical security standards for the kit in use ?
%has someone been tasked with applying the standards ?
%has someone checked that the standards have been applied?
%is someone monitoring for intrusion?
%is there a risk assessment for this project ?
%there any security requirements for this project ?
%is there a security architecture document and detailed design docs for the key security controls ?
% has functional testing of the key controls been undertaken to check they work in the intended manner ?

----  Sent using a Sony Ericsson videophone

Pen testing is dead?

2009-01-14T18:25:00.000+11:00

Incident near miss "compliance requirement " from some where + lack of visibility of security posture= client looking for security testing = pen test request, as this is what is commonly known in IT land as security testing. Can anyone get in ? Is the most commonly asked question

----  Sent using a Sony Ericsson videophone

twitter

2009-01-12T08:20:00.002+11:00

Ah, I figured out twitter. Its facebook-lite. Its just the status tag of facebook. I now have a java twitter client on my phone. Kind of weird. I'm now stalking Jerimiah Grossman, HD Moore, Marty Roesch, Adrian Lamo, Dave Aitel and Kevin Rose (just for humour value).

See the link to the right for my twitter feed if you too like to stalk people in a friendly kind of way.

nice article from grossman

2009-01-09T23:30:00.000+11:00

http://jeremiahgrossman.blogspot.com/2008/12/history-repeating-itself.html

Ask a question

2009-01-09T21:38:00.005+11:00

Hello,

I now am offering the following service via Infamous Agenda. Ask a question, get an answer! Free!
I'll post the questions and the answers.

For sort of serious questions email goodquestions at infamousagenda com An example below:

- If I have expired credit card numbers in a database, is the database in or out of the scope for PCI-DSS compliance?

For the questions you are almost embarrassed to ask email stupidquestions at infamousagenda com

- What's a HSM?

Then there is dearmatty at infamousagenda com my Agony Aunt column, an example below.

Dear Matty,

I'm a CISO but I'm getting no love from our CFO. We have had some lovely trysts in the past, I fondly remember wooing him with our Identity Management business case. Oh how he swooned with the return on investment calculations. Recently he has cooled to me and I just can't get his attention. Dear Matty what can I do to recapure his affections and clinch that lunch date?

Desperate and Dateless.

Dear Desperate and Dateless,

Your CFO is cooling to you with the cooling economic climate. Present to him some examples of how security can enable and support business initiatives. Good examples could include:
- virtualisation security standard development - enabled virtualisation to be used on a new project resulting in capital expenditure reduction.
- establishing a VPN - now an outsourcer in India can access systems from the internet securely without WAN costs, saving ongoing operational expenditure
Make sure there is a theme of enabling cap e and op ex cost reductions and the CFO will be courting you!

Good Luck from Dear Matty.

What is the next big thing?

2009-01-09T18:10:00.002+11:00

®PCI-DSS - will mandatory breach reporting and information leakage/credit card theft make this blow up in Australia? ®Virtualisation security - will the drive to VMware everything to save capital expenditure result in more security incidents and a rash of secure configuration and architecture engagements in a knee jerk reaction ?

® Web application security ratings and certifications - will organisations get fed up with sub-standard application and want some assurances that OWASP level standards have been adhered to in development processes?

----  Sent using a Sony Ericsson videophone

Affiliate program now online

2009-01-09T07:49:00.002+11:00

Mostly out of curiosity to find out how this works, I have signed up for an affiliate program and selected a few vendors I recognised. Not sure if any of my readers will buy consumer AV off a link from my blog, but hey if someone does my domain name registration is pretty much paid for for the year :)

What are the hard things to tackle that no one talks about in information security ?

2009-01-08T08:48:00.002+11:00

There are some "elephants in the room" that aren't talked about because they don't involve selling shrink wrapped software or 19" rack mountable goodies. These are windmills to tilt against.

©Tackling the insider threat, how do you catch out fraudsters and information thieves BEFORE they rob you of your customer list and complete a fraudulent transaction on the company accounts ?

© the prevalence of XSS vulnerabilities across the web that allow malware deployment to users visiting "trusted" web sites forums etc

© signature anti virus is not cutting it these days with "crimeware" sold with update functions and money back guarantees to not be detected by the major anti virus vendors

----  Sent using a Sony Ericsson videophone

Mandatory Internet Filtering

2009-01-08T06:53:00.004+11:00

Hey,

This mandatory internet filter is meant to restrict us from accessing illegal content. I spend my days looking at computer security research, some of which is exploit code, security testing tools etc. Is this illegal now? Will I be blocked from www.packetstormsecurity.com . Ah well just proxy out via our global WAN :)

AISA out out a press release and pretty much announced what a stupid idea this is. Well done Drazen!

just registered www.infamousagenda.com

2009-01-07T21:14:00.002+11:00

I'm going full on :) DNS replication happened overnight. Set up Google AdSense as well to help pay for the domain replication. Have to look into advertising.

2009 Predictions

2009-01-05T09:07:00.001+11:00

Information security will become more integrated into business processes due to traction on identity management initiatives ( RBAC ,Provisioning and termination ) and implementing secure development practices into the SDLC. On the new and emerging threat side i predict we will see crimeware deployed in new ways via injection into web apps or installation at the factory by insiders potentially even in firmware , an escalation of what we have seen with USB devices with simplistic malware installed sometime between manufacture and receipt by the customer

----  Sent using a Sony Ericsson videophone

2008-12-22T21:53:00.001+11:00

Virtualisation

2008-12-05T08:01:00.000+11:00

Hey its been around nearly longer than i have been alive in the mainframe world. Now all the wintel shops want to do something about the sprawl of wintel boxes about caused by pretty much a lack of faith with wintel resource management and reliability . This has led to a proliferation of one role per server and acceptance of load balancer and cluster based solutions to core with the threat of the BSOD. Enter Virtualisation now we can put all that one role per server stuff on the one machine. Wacky its one patch on another.

----  Sent using a Sony Ericsson videophone

AISA end of year function

2008-11-28T12:34:00.000+11:00

Thanks NAB guys and Stratsec for the sponsorship . Richard's presentation was great and hit many a nerve and even the funny bone too . The view was great and i was pleased to see such a great turnout

----  Sent using a Sony Ericsson videophone

AusCERT

2008-10-22T07:59:00.000+11:00

Hello from the train where i have many of my few rare blogging minutes. I am writing a paper/presentation at the moment for AusCERT as i haven't been for a number of years and swore to myself if i went again i would deliver a presentation. I looked at the program for last year and was amazed by the number of vendor tracks . Maybe this is why we have chatter that AusCERT has lost its edge ? I guess this is what happened to RSA it started out technical and crypto and then became a trade show .how do we make the largest conference in Australia better ? Relevant topical content i guess ?

----  Sent using a Sony Ericsson videophone

We need assurance

2008-10-21T17:53:00.000+11:00

Was thinking about mark snow's presentation at AusCERT and the recent interview with that geekonomics guy on risky business . It would be good to establish a 0 to 5 star labelling scheme for software for security just like the one in place with EuroNCAP for car safety . Who better to establish such a scheme than audit firms ?

----  Sent using a Sony Ericsson videophone

More car analogies

2008-10-21T17:49:00.000+11:00

Security is like car safety , when you have active safety you can avoid incidents when you have passive safety you can minimise damage from incidents to the occupants. Active safety in motoring are things like good brakes headlights etc passive safety are things like air bags crumple zones seat belts fuel cut off valves etc. Infosec equivalents for these that let you drive at high speeds and not die in a crash are : headlights = threat intelligence services and IDS brakes = ? Fuel cut off valve = CSIRT Speedo = SEIM Right foot control = risk management accelerator = risk management framework crumple zones = DMZ

----  Sent using a Sony Ericsson videophone

Good security awareness program at the royal show

2008-09-29T12:32:00.001+10:00

Get them young ! My child had fun throwing bean bags at effigys of internet and regular scam artists and becoming a deputy scam buster. Well done consumer affairs victoria !

----  Sent using a Sony Ericsson videophone

Mobile phone products to invent

2008-09-20T21:15:00.002+10:00

Mobile device sanitisation software.

An application that provides a day by day bar graph of mobile phone usage in minutes and if you enter your plan details or select them from a pre-populated list, $ cost per day and running total.

How to raise the profile of your information security department

2008-09-18T09:12:00.000+10:00

As Australian CIOs see information security as a lower priority than reducing costs maybe it is time for us to go on the charm offensive? Some ideas follow : Try an end user security awareness program in a handy tips flavor focusing on social engineering and malware; look at your branding esp your motto ; provide communications to stakeholders on your organisations most critical apps and what you are protecting then from and business process impact if there is an incident ; benchmark your operations against your peers; produce easy to understand risk based management reporting supported by a security metrics program

----  Sent using a Sony Ericsson videophone

First jobs

2008-09-16T21:39:00.003+10:00

I was thinking about my first job in security, and was kind of thankful for the opportunity. I was a security guard at a police HQ on the night shift and the criminal investigation branch during the day.

Man, I had some interesting encounters with the general public, well the very sketchy portions of the general public.

It was kind of cool to roll in unmarked police cars on occasion and tote some sort of police ID. The responsibility sort of gave me some direction when I needed it.

Thanks for giving me the opportunity, you know who you are!

info-sec car analogies

2008-09-13T22:32:00.003+10:00

from the user perspective - you are driving the car - you are driving along the information super highway and take a look at a shiny billboard and next thing you know you are stuck in a ditch (DoS) or being mugged (malware). you need some lane markings (security awareness training).

from the administrator perspective - you are maintaining others cars, you need to know what makes a car roadworthy.

from the architect perspective - you are designing cars and roads, you need crash test results

speedo = SEIM ?
air bags = incident response capability?
accelerator = take more risk?
brakes = take less risk?
road signs = security awareness training

challenges with vulnerability management

2008-09-10T22:28:00.005+10:00

Recent information leakage studies (verizon one) identify that intrusions occur from vulnerabilities that are more than a year old and often easily fixed by patching. The poorly informed would cry "just apply the patches" well here are some of the challenges:

- it's easy to test, if you aren't running apps, umm but aren't all partner facing or internet facing systems.hhmmm
- you need to test, sometimes patches break things, especially poorly coded legacy apps. Sometimes those apps aren't supported and you may have a situation where you can't turn off the vulnerable functionality or apply the patch.
- testing, proper testing involves functional and non functional testing, maybe even performance and volume testing. No surprises that costs big bucks, and which app owners are going to cough up for testing on apps already in production that are not cashed up with capex approvals etc.

Approaches:

-risk assess systems, focus on most critical
-have a regular patch schedule aligned with testing, that also updates the SOE.
-deploy IPS/WAF/reverse proxy/in listen only mode ready to help block an exploit that has pwned you, so that after you have rebuilt you can protect again re=pwnage.

The simple things in inosec are often the most effective

2008-09-07T18:11:00.001+10:00

data classification - classify the say 10% of information assets that really matter and you can:

secure only the systems that really manner.

enable users to apply information asset handling procedures to prevent data leakage

Former federal privacy commissioner addressing AISA

2008-09-07T17:46:00.000+10:00

Bumper session:-PB-);-)

----  Sent using a Sony Ericsson videophone

my first security haiku

2008-09-06T07:16:00.000+10:00

5,7,5

some patience required
when writing security
policy framework

large it project
so near to finish lets test
security requirements ?

Security governance - launching the offensive

2008-09-03T16:07:00.002+10:00

1. Tender, employ, buy, build, educate in as small a chunk at a time as you can manage

2. Test security activities have addressed KPIs and KRXs they were planned to improve as part of regular compliance testing cycle (just delay testing cycle until project completed)

Security Governance: The First battle

2008-09-03T15:56:00.001+10:00

1. Security awareness campaign (we are coming hide your skeletons in the closet) state grace period and requirement for lodgement of exemptions

2. commence compliance testing of KPIs (from metrics in endorsed security standards)

3. no-one is compliant with standards, umm, oooer

4. put KPIs into KPXs and into KRXs and into KRIs

5. Suprise Suprise, the Key Risks and fixes are pretty much what you expect user access management, secure configuration of nfrastructure, secure application development processes

5. present shocking KRIs to executive, along with plan of activities to improve KRIs, include dates of which KRIs will improve and cost/effort estimates

6. Cajole and Educate executive

7. Budget approved!

8. Drink beer

Security governance: The Initial Skirmish

2008-09-03T15:33:00.001+10:00

1. Get executive commitment to a security charter with a principle for each of the ten ISO 27002 domains and appoint yourself to act on behalf of the executives in accordance with charter.
2. Do a sing and dance you have cracked the hardest piece of the puzzle
3. Write up security governance docs to establish an Information Security Management System (include exemption management, metrics, compliance testing, sanctions for non-compliance and a document map)
4. Create draft security policy statements for the key security policies
5. Workshop draft policies with anyone who will listen (HR, IT ops, IT architecture, risk, internal audit etc.)
6. Record and refine stakeholder input (and put in version history of docs)
7. Issue security policies as draft for comment on Intranet
8. Take in feedback and refine (if any)
9. Get security policies endorsed
10. draft security standards and include KPIs
11. workshop with stakeholders
12. refine
13. issue as draft
14. get endorsed
15. execute security awareness campaign
16. write processes
17. write procedures
18. write baselines and use these to guide construction of SOEs

Reflections on the Australian Infosec market

2008-09-01T21:58:00.001+10:00

Size of information security department
Manufacturers - 1-2 FTE in security
Insurers - 2 -10 FTE in securty
Small Banks - 2-5 FTE in security
Large Banks - 50- 100 FTE in security

Typical activities
Testing new projects
Closing audit issues
Developing security policies
Managing vulnerabilities
Testing compliance with policy

Challenges
Implementing management reporting/metrics
Developing expertise in web application security testing
Producing standards for application developers
Figuring out a pragmatic approach to security logging