Threatpost has an interesting article on how the Department of Homeland Security is going to begin reclassifying vulnerabilities in Industrial Controls Systems (ICS) and not create ICS-CERT alerts for vulnerabilities that are deemed "design flaws". Like ICS communications transmitted in clear text. The explanation is that clear text transmission, or better stated as the lack of secure communications, is a design issue across the board that is too big to be considered a "bug", like a buffer overflow in an application would be considered. So they are not going to issue an ICS-CERT security advisory about it.
Given that other vulnerability management systems such as the CVE DB, Secunia and the like all create vulnerability announcements on design flaws such as clear text transmission, why should the DHS act any differently? Perhaps there are so many inherent design flaws in business critical ICSs that they are worried the resulting alerts would scare the kittens out of people in the light of the enhanced press coverage of so many high profile intrusions within the last 8 months.
Or ICS vendor lobbyists. Could go either way.
Wednesday, September 28, 2011
Wednesday, September 21, 2011
Richard Clarke joins Bit9 board
I've been a long-time fan and supporter of Richard Clarke. This is the man who served under four presidents, most famously on the National Security Council as the Counter-Terrorism Czar. And the man whose team and he read the intelligence correctly prior to 9/11 but was conveniently ignored. The man who was (if memory serves) the only person on active duty in the administration in the wake of 9/11 who, during the 9/11 commision hearings ever actually apologized to the American people.
"To the loved ones of the victims of 9/11, to them who are here in this room, to those who are watching on television, your government failed you. Those entrusted with protecting you failed you. And I failed you. We tried hard, but that doesn't matter because we failed. And for that failure, I would ask, once all the facts are out, for your understanding and for your forgiveness."
Post Iraq II invasion, Richard Clarke became (probably in frustration combined with intel and foresight) the "Cyber-Security Czar", focused on the cyber threat to the American government, military and industry/commerce sectors. His book "Against All Enemies" (2004) is his momoir/account of the events leadings up to 9/11. His book "CyberWar" (2010) is a fairly accurate look at many of the internet-based threats to the U.S. as well as the world as a whole, although some statements contained in the book are disputed within the security industry.
It was announced today that Richard Clarke has joined the board of Bit9. Those who know me know that I have, since the demise of the Cisco Security Agent (CSA), been singing the praises of Bit9's application whitelisting solution Parity, after months of solution research for a true endpoint security solution. I will be very interested to see what impact Mr. Clarke has, if any, on the company and its business goals and direction. Regardless, I am of the opinion that his backing of this organization isn't just fluff and showbiz. The technology is sound and his experience in thirty years of intel, counter-terrorism and cyber-security gets that.
Personally, I hope my optimism isn't disappointed.
"To the loved ones of the victims of 9/11, to them who are here in this room, to those who are watching on television, your government failed you. Those entrusted with protecting you failed you. And I failed you. We tried hard, but that doesn't matter because we failed. And for that failure, I would ask, once all the facts are out, for your understanding and for your forgiveness."
Post Iraq II invasion, Richard Clarke became (probably in frustration combined with intel and foresight) the "Cyber-Security Czar", focused on the cyber threat to the American government, military and industry/commerce sectors. His book "Against All Enemies" (2004) is his momoir/account of the events leadings up to 9/11. His book "CyberWar" (2010) is a fairly accurate look at many of the internet-based threats to the U.S. as well as the world as a whole, although some statements contained in the book are disputed within the security industry.
It was announced today that Richard Clarke has joined the board of Bit9. Those who know me know that I have, since the demise of the Cisco Security Agent (CSA), been singing the praises of Bit9's application whitelisting solution Parity, after months of solution research for a true endpoint security solution. I will be very interested to see what impact Mr. Clarke has, if any, on the company and its business goals and direction. Regardless, I am of the opinion that his backing of this organization isn't just fluff and showbiz. The technology is sound and his experience in thirty years of intel, counter-terrorism and cyber-security gets that.
Personally, I hope my optimism isn't disappointed.
Wednesday, September 7, 2011
DNS and SSL attacks - further evidence that the internet should not be used for critical applications
The DigiNotar certificate forgeries and NetNames and Asico DNS hosting break-in hacks that resulted in DNS entries for several prominent websites being redirected to malicious and unauthorized sites just reinforces the fact that we are pushing the limits of "security" on the internet. Technical limitations of SSL and DNS (even DNSSEC) aside, this is all about good housekeeping and avoiding any false sense of security that tends to fog the issues when nothing bad has recently occurred. Let's go over the list:
Oh, and a bunch of monkeys in charge of internet critical systems asleep at the wheel (well, tire ring, anyways).
Security is most effective when the data owners understand the concept of accountability, so when there are no regulations/standards to enforce organizations who provide security critical systems such as Certificate Authorities and DNS services what do we expect? These are systems we inherently trust (another issues of the "human element") yet they are dropping like flies due to the same issues we "experts" have been screaming about for at least the past decade.
Either regulate with accountability the security critical services on the internet or stop using the internet for critical applications. It's that simple. You know, aside from the whole unregulatable aspect of the internet we all know and love. Which ergo means stop using the internet for critical applications.
<kudos to Brian Honan for succinctly summarizing some of this in a recent SANS post>
- The lack of network segmentation
- Unpatched applications
- SQL Injection
- Poor password management
- Out of date Anti-Virus
Oh, and a bunch of monkeys in charge of internet critical systems asleep at the wheel (well, tire ring, anyways).
Security is most effective when the data owners understand the concept of accountability, so when there are no regulations/standards to enforce organizations who provide security critical systems such as Certificate Authorities and DNS services what do we expect? These are systems we inherently trust (another issues of the "human element") yet they are dropping like flies due to the same issues we "experts" have been screaming about for at least the past decade.
Either regulate with accountability the security critical services on the internet or stop using the internet for critical applications. It's that simple. You know, aside from the whole unregulatable aspect of the internet we all know and love. Which ergo means stop using the internet for critical applications.
<kudos to Brian Honan for succinctly summarizing some of this in a recent SANS post>
Subscribe to:
Posts (Atom)