This post is a couple of weeks overdue. After having gone to the inaugural event last year I submitted a paper this year that was accepted (stable talk). So wifey and I (and this year accompanied with one of my team members) headed down to Louisville and the second annual DerbyCon.
I signed up for Chris Nickerson's and Ian Amit's Red team training, which was great and at several times completely overwhelming. Tons of great tools I'd never even heard of, some fun physical testing and tools and a completely mind blowing introduction to Neuro Linguistic Programming and real social engineering. Well worth it.
Lots of great hallway talks and great to meet in person some folks I've met this past year on twitter. The talks I sat in on were mostly stellar. I had a good crowd and had a lot of fun. The hotel staff apparently told the DerbyCon organizers that this DerbyCon weekend out drank this year's Kentucky Derby weekend, so there's that. And what do drunk infosec professionals do for entertainment besides social engineering each other and set up fake cell transmitters? Play boisterous chess matches in the lobby until dawn, of course. Well played @egyp7 and @bandrel.
Thanks to the DerbyCon Staff and organizers for another great event (and for accepting my talk), the hotel staff and all the great people who make this community a true community.
Edit: I did my Business Ramifications talk on Friday and received really great feedback and discussions throughout. Thanks everyone who attended.
Saturday, October 20, 2012
Tuesday, July 24, 2012
Business Ramifications of the Internet's Unclean Conflicts (and other updates)
So, the schedule has been crazy lately and I have been cherishing what little downtime I have with the the family. And the golf course. Hence, no blog post since March. I finally finished the sunroom bar cabinets and installed them just in time for our annual summer party, which was spectacular, BTW - the pulled pork we smoked for 12+ hours was like butter and the ribs were to die for. Ended up kicking out the last dedicated professionals around 2:30AM, so AFAIC it was a total success. Look for invites next year, DM me, etc.
Onto actual infosec/risk items. I put together a talk on the Business Ramifications of the Internet's Unclean Conflicts for Cleveland B-Sides that I gave on July 13th (you can see it here, special thanks to @securid and @adc_irongeek). It wasn't my best performance, but admittedly I wasn't 100% confident that I was able to connect all of my dots in 45 minutes. Plus, I had added several slides during some breaks between earlier B-Sides talks so no practice for the talk as a whole. Regardless, it went over well, with excellent crowd source feedback and criticism, which was most welcome. Safe talks are boring and I went in with this one expecting some pretty vocal feedback on the topics I brought up. I was not disappointed.
So one of my "agenda" items was "WTF are you talking about?" Which is a fair question. Some examples of the United States' Unclean Conflicts include Korea, Vietnam, Grenada, Somalia, Panama and even our current "Wars" in afghanistan and Iraq. Let's not forget what is happening in Yemen and Pakistan. The last official declaration of war was in 1942 against Bulgaria, Romania and Hungary, allies of the Germans during WWII. Post WWII we became very familiar with unclean conflicts, both pre and post the fall of the Soviet Union. But that event marked a significant change in our (the United States) international attitude. Who would realistically enagege us in open, clean conflicts? This lack of (in our minds) a realistic adversary even furthered our big-headed notions that the rest of the world should act and behave as we think they should. This mindset filtered down into our Business DNA, and our innovative corporations that were and are pivotal in building up our national economy began thinking the same way. We are now finding ourselves lashing out with legislation in vain attempts to enforce levels of security controls to protect our national infrastructure. Which will most likely lead to attempts to enforce levels of controls over manufacturing, science, research, medical and other verticals. Will any of these succeed? It is too early to tell. But the simple fact is this. If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the economy and nation as a whole, you have completely missed what was wrong to begin with.
The term "Organizational Entropy" is defined as the natural result of assuming you are smarter than your adversaries. Which is exactly what we, both internationally as well as business-wise, have done. And (gasp) we are quickly finding that a) we are not as smart as our adversaries and b) they have not been playing according to our rules. For years. Why spend billions of dollars (pick your currency) developing new technology when you can spend a million dollars purchasing the stolen technology? Why not halve number of years your weapons program is behind the US's by stealing that top secret data?
Our adversaries have become specailists at executing "Unclean Conflicts" against our business and defense infrastructure.
Our pig-headedness has lead to societal ramifications where policy is now defining society, which naturally does not happen. Society should define policy. And since this is completely unnatural, and basically driven by power, greed and profit, naturally it is failing.
Joel Brenner's recent book "America the Vulnerable", while bordering on being fodder for the security hardware vendors of the world to scare the daylights out of business decision makers, does make one excellent point - "Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time." i.e. Design for, and assume the breach.
Throwing more and more technology at these problems only makes our systems that much more complicated, and therfore less secure. That is not natural adaptation. Nature (including everything from promordial bacteria in volcanoes to us as a species) has survived over millions of years by adpating to situations and problems. Without the need for policies and politics. Our government and corporate frameworks need to learn to begin to adapt to what effectively is a new paradigm.
Every #infosec and #businessrisk practitioner should read the book Learning from the Octopus by Rafe Sagarin. Do this now.
We inherently know what issues matter and what issues do not. "Morals" and religion have no place in this argument, they do not matter. This is about adaptation and being able to apply pressure to the wounds we have sustained due to our arrogance. Vote out anyone, regardless of which "side" they are on, who does not actively convey this understanding.
Feedback is actively welcome.
(note: I am not this smart, shout outs to Josh Corman, Joel Brenner and Rafe Sagarin as a sampling of many influencers)
Onto actual infosec/risk items. I put together a talk on the Business Ramifications of the Internet's Unclean Conflicts for Cleveland B-Sides that I gave on July 13th (you can see it here, special thanks to @securid and @adc_irongeek). It wasn't my best performance, but admittedly I wasn't 100% confident that I was able to connect all of my dots in 45 minutes. Plus, I had added several slides during some breaks between earlier B-Sides talks so no practice for the talk as a whole. Regardless, it went over well, with excellent crowd source feedback and criticism, which was most welcome. Safe talks are boring and I went in with this one expecting some pretty vocal feedback on the topics I brought up. I was not disappointed.
So one of my "agenda" items was "WTF are you talking about?" Which is a fair question. Some examples of the United States' Unclean Conflicts include Korea, Vietnam, Grenada, Somalia, Panama and even our current "Wars" in afghanistan and Iraq. Let's not forget what is happening in Yemen and Pakistan. The last official declaration of war was in 1942 against Bulgaria, Romania and Hungary, allies of the Germans during WWII. Post WWII we became very familiar with unclean conflicts, both pre and post the fall of the Soviet Union. But that event marked a significant change in our (the United States) international attitude. Who would realistically enagege us in open, clean conflicts? This lack of (in our minds) a realistic adversary even furthered our big-headed notions that the rest of the world should act and behave as we think they should. This mindset filtered down into our Business DNA, and our innovative corporations that were and are pivotal in building up our national economy began thinking the same way. We are now finding ourselves lashing out with legislation in vain attempts to enforce levels of security controls to protect our national infrastructure. Which will most likely lead to attempts to enforce levels of controls over manufacturing, science, research, medical and other verticals. Will any of these succeed? It is too early to tell. But the simple fact is this. If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the economy and nation as a whole, you have completely missed what was wrong to begin with.
The term "Organizational Entropy" is defined as the natural result of assuming you are smarter than your adversaries. Which is exactly what we, both internationally as well as business-wise, have done. And (gasp) we are quickly finding that a) we are not as smart as our adversaries and b) they have not been playing according to our rules. For years. Why spend billions of dollars (pick your currency) developing new technology when you can spend a million dollars purchasing the stolen technology? Why not halve number of years your weapons program is behind the US's by stealing that top secret data?
Our adversaries have become specailists at executing "Unclean Conflicts" against our business and defense infrastructure.
Our pig-headedness has lead to societal ramifications where policy is now defining society, which naturally does not happen. Society should define policy. And since this is completely unnatural, and basically driven by power, greed and profit, naturally it is failing.
Joel Brenner's recent book "America the Vulnerable", while bordering on being fodder for the security hardware vendors of the world to scare the daylights out of business decision makers, does make one excellent point - "Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time." i.e. Design for, and assume the breach.
Throwing more and more technology at these problems only makes our systems that much more complicated, and therfore less secure. That is not natural adaptation. Nature (including everything from promordial bacteria in volcanoes to us as a species) has survived over millions of years by adpating to situations and problems. Without the need for policies and politics. Our government and corporate frameworks need to learn to begin to adapt to what effectively is a new paradigm.
Every #infosec and #businessrisk practitioner should read the book Learning from the Octopus by Rafe Sagarin. Do this now.
We inherently know what issues matter and what issues do not. "Morals" and religion have no place in this argument, they do not matter. This is about adaptation and being able to apply pressure to the wounds we have sustained due to our arrogance. Vote out anyone, regardless of which "side" they are on, who does not actively convey this understanding.
Feedback is actively welcome.
(note: I am not this smart, shout outs to Josh Corman, Joel Brenner and Rafe Sagarin as a sampling of many influencers)
Tuesday, March 20, 2012
Pen Testing, commodities and 0day supply and demand
Martin Bos (@purehate_) asked an intriguing question over twitter the other day. Should 0day exploits be used in "standard" penteration tests. Some rightly asked to define what a "standard" pentest truly is, since scope could literally be anything you can think of. Josh Abrams (@jabra) responded with what is probably the best answer with "0day usage should match the maturity of the target." Beautifully stated.
But the discussion got my gears turning. Josh Corman (@joshcorman) blogged back in November 2011 about the concept of HDMoore's Law (http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/). It's a great read and I feel very pertinent and accurate. The original Moore's law roughly states, depending on who you hear it from, that technology (i.e. the number of inexpensive tranistors that can be put onto a circuit) doubles every two years.
When you look at the IT industry as a whole, this law partially explains many business related bell curves - advanced technology has the innovators, early adopters, early majority, late majority and laggards. Everything eventually becomes commoditized. Relying on a particular technology or skillset that your organization may possess advanced skills in to keep a competitive edge over your competition over time is a losing battle. Skillsets are learned. Technology advances and improves. Competition eventually catches up. In order to remain ahead of the pack organizations must continually find the next advanced technology to specialize in.
Corman's point with the HDMoore's law concept is that the advancement of the metasploit framework is lowering the cost of admission in winning and performing successful "standard" pentests. Business histories and frameworks dictate that that the advanced technology of penetration testing will eventually become commoditized. Pentest geeks can stop your whining now, we all know you are talented and always searching for new, improved and advanced methods of testing. That's not the argument. Cutting edge is still cutting edge. But once pentesting tools advance to the point that those of us who are neither exploit hunting hobbyists nor being paid to discover 0day vulnerabilities can compete with specialists and win engagements with the majority of non-"mature" clients, could the differentiating factor result in today's hardcore pentesting community to actively pursue the acquisition of previously unknown 0day exploits?
Supply and demand. Could Whitehat(ish) practitioners eventually significantly contribute to Blackhat revenue, GP margin and Operating margin just to stay ahead of the closing pack of mediocre pentesters using advanced pentesting tools? Thereby funding the work of the evil hackers?
Martin made a good point on an unrelated thread about hey, you make a neat argument but please back that up with a recommeded solution. There is no "solution" in this case (sorry, Martin). This is simple business modeling and evolution and you need to adapt accordingly. One path in that adaptation may lead to this particular scenario.
But the discussion got my gears turning. Josh Corman (@joshcorman) blogged back in November 2011 about the concept of HDMoore's Law (http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/). It's a great read and I feel very pertinent and accurate. The original Moore's law roughly states, depending on who you hear it from, that technology (i.e. the number of inexpensive tranistors that can be put onto a circuit) doubles every two years.
When you look at the IT industry as a whole, this law partially explains many business related bell curves - advanced technology has the innovators, early adopters, early majority, late majority and laggards. Everything eventually becomes commoditized. Relying on a particular technology or skillset that your organization may possess advanced skills in to keep a competitive edge over your competition over time is a losing battle. Skillsets are learned. Technology advances and improves. Competition eventually catches up. In order to remain ahead of the pack organizations must continually find the next advanced technology to specialize in.
Corman's point with the HDMoore's law concept is that the advancement of the metasploit framework is lowering the cost of admission in winning and performing successful "standard" pentests. Business histories and frameworks dictate that that the advanced technology of penetration testing will eventually become commoditized. Pentest geeks can stop your whining now, we all know you are talented and always searching for new, improved and advanced methods of testing. That's not the argument. Cutting edge is still cutting edge. But once pentesting tools advance to the point that those of us who are neither exploit hunting hobbyists nor being paid to discover 0day vulnerabilities can compete with specialists and win engagements with the majority of non-"mature" clients, could the differentiating factor result in today's hardcore pentesting community to actively pursue the acquisition of previously unknown 0day exploits?
Supply and demand. Could Whitehat(ish) practitioners eventually significantly contribute to Blackhat revenue, GP margin and Operating margin just to stay ahead of the closing pack of mediocre pentesters using advanced pentesting tools? Thereby funding the work of the evil hackers?
Martin made a good point on an unrelated thread about hey, you make a neat argument but please back that up with a recommeded solution. There is no "solution" in this case (sorry, Martin). This is simple business modeling and evolution and you need to adapt accordingly. One path in that adaptation may lead to this particular scenario.
Monday, March 12, 2012
DLP vs. Auth: More Snakeoil?
Data Loss/Leakage Prevention (DLP) has been one of the hot buzzwords over the last several years. And it's a great idea - determine where your critical business data lives and actively enforce policy around it. Data in motion, at rest and in use, absolutely critical elements in ensuring enterprise business protection.
But is it, really? In terms of protecting business critical data, the most important element is first and foremost understanding where that data lives and breathes. That is absolutely where DLP infrastructure contributes the most. But once that business critical data is discovered, wherever it may live, is it not logical to then make the business decisions to allow said data to reside in certain areas and not others? Policies redrawn to dictate where critical data should reside and then, through alternative means such as, oh, authentication and authorization, allow access to such data?
Don't get me wrong. People will send CCs and SSNs unwittingly over email. This is not that argument. Few organizations have gone out of business for such breaches, so clearly these are not true business risks. This argument is focused on innovation lifeblood. Formulas, research, sales playbooks, medical breakthroughs, etc. Everything that contributes to a strong economy that we, as infosec practitioners, are accountable in protecting.
If we know where that data lives in the first place, the overarching overhead of customizing DLP systems to actively look for your specific business critical data is, to a degree, moot, now that we know where it is confined to, by enforceable policy, and can control access to via both standard and enhanced authen/author controls. AD controls what you can and cannot access, as well as who can take data and copy to removable media. At some point you have to realize that you cannot control persons taking camera shots of monitor screens that may contain business sensitive data. Assume the breach. Digitally mantrap your data such that only persons with advanced authorization has access to the sum of the parts. Limit you threat landscape and focus your controls on such persons, no matter how high up on the food chain they may be.
DLP systems have their place, but I believe that place is simply to identify the most important variable any organization needs to know in an effort to protect their business critical data - where that data lives. At that point existing controls can be implemented to enforce the business policies, restrict access to said data, redefine where said data should live and reduce the scope of threat vectors that have the potential to exfiltrate said data.
DLP - one time insight or ongoing overhead?
But is it, really? In terms of protecting business critical data, the most important element is first and foremost understanding where that data lives and breathes. That is absolutely where DLP infrastructure contributes the most. But once that business critical data is discovered, wherever it may live, is it not logical to then make the business decisions to allow said data to reside in certain areas and not others? Policies redrawn to dictate where critical data should reside and then, through alternative means such as, oh, authentication and authorization, allow access to such data?
Don't get me wrong. People will send CCs and SSNs unwittingly over email. This is not that argument. Few organizations have gone out of business for such breaches, so clearly these are not true business risks. This argument is focused on innovation lifeblood. Formulas, research, sales playbooks, medical breakthroughs, etc. Everything that contributes to a strong economy that we, as infosec practitioners, are accountable in protecting.
If we know where that data lives in the first place, the overarching overhead of customizing DLP systems to actively look for your specific business critical data is, to a degree, moot, now that we know where it is confined to, by enforceable policy, and can control access to via both standard and enhanced authen/author controls. AD controls what you can and cannot access, as well as who can take data and copy to removable media. At some point you have to realize that you cannot control persons taking camera shots of monitor screens that may contain business sensitive data. Assume the breach. Digitally mantrap your data such that only persons with advanced authorization has access to the sum of the parts. Limit you threat landscape and focus your controls on such persons, no matter how high up on the food chain they may be.
DLP systems have their place, but I believe that place is simply to identify the most important variable any organization needs to know in an effort to protect their business critical data - where that data lives. At that point existing controls can be implemented to enforce the business policies, restrict access to said data, redefine where said data should live and reduce the scope of threat vectors that have the potential to exfiltrate said data.
DLP - one time insight or ongoing overhead?
Sunday, March 4, 2012
More Compliance Sham-WOW!
I've said it before and I'll say it again. Compliance is a sham. Most are vague attempts at kinda hoping you'll make appropriate security decisions and protect people's data that reside on your systems. Others have very detailed lists of what you should be doing, which, from the business side of the house, is completely impractical to comply with so most organizations adopt a "we're doing our due diligence" mentality of trying to at least show small, annual signs of compliance improvement in hopes that if that low probability event accually occurs, they will not be held accountable because they can produce the appropriate "metrics" that tell the all too familiar tale of compliance costs vs. revenue and GP.
The latest Sham-WOW compliance movement has been introduced by several congress-persons, including Joe Lieberman, and boy is it a doosey. Jody Westby's story in Forbes (here) sums up most of it very astutely, but doesn't touch upon what I feel is a larger, underlying battle. We are rapidly approaching a very complicated paradigm shift regarding our national economies and who is responsible for protecting our national assets and interests. I've previously discussed the economic dangers of the theft of our innovations and how we are no longer (for the most part) in an era where our government can protect our industries by reacting with physical force.
Yet, the antithesis of bombing the daylights out of an adversary for cyber-stealing NASA secrets and the like appears to be applying more regulatory compliance to the formula. I can hear all of the equipment vendors cheering already. "Buy this device and you will be <insert the latest govt. regulation here> compliant." It's crap like this that makes my life more hectic in my attempts to un-"educate" people who have already taken the bait and are now chasing the carrot of compliance.
Compliance almost never means Secure, Secure almost almost always means Compliant. At this point I forget who even said that first (credit anyways). There was a time I felt it might take a few levels of governmental regulation to get to some semblance of Business Security, but no longer. Litigation is king, and even that has diminishing returns in this day and age of the "international mystery man", more commonly known as the C.H.E.W. factors.
Standards, people. And the lack thereof. We spend so much money investing on systems that will "protect" us from weaknesses that should have already been vetted in the actual application it is no wonder each and every industry is overwhlemed with thousands of vendors touting the latest and greatest solution to combating <insert APT here> in your enterprise. Focus on the root causes. Awareness and coding standards. Develop them. Enforce them. Don't buy software from vendors who aren't an active contributor to such standards, etc. I realize this is as much of an uphill battle as complying with some of the regulatory standards but at least it would actually make an impact.
Just be, as good infosec professionals strive to be, proactive about it. Don't be complacent and allow a bunch of aging congressmen who aren't really sure how to turn on their "tweeter" be responsible for developing another completely erroneous and uneffective infosec regulatory compliance standard just because we can't collectively troubleshoot root cause issues and become a community dedicated to actual problem solving, debugging and solutions.
The latest Sham-WOW compliance movement has been introduced by several congress-persons, including Joe Lieberman, and boy is it a doosey. Jody Westby's story in Forbes (here) sums up most of it very astutely, but doesn't touch upon what I feel is a larger, underlying battle. We are rapidly approaching a very complicated paradigm shift regarding our national economies and who is responsible for protecting our national assets and interests. I've previously discussed the economic dangers of the theft of our innovations and how we are no longer (for the most part) in an era where our government can protect our industries by reacting with physical force.
Yet, the antithesis of bombing the daylights out of an adversary for cyber-stealing NASA secrets and the like appears to be applying more regulatory compliance to the formula. I can hear all of the equipment vendors cheering already. "Buy this device and you will be <insert the latest govt. regulation here> compliant." It's crap like this that makes my life more hectic in my attempts to un-"educate" people who have already taken the bait and are now chasing the carrot of compliance.
Compliance almost never means Secure, Secure almost almost always means Compliant. At this point I forget who even said that first (credit anyways). There was a time I felt it might take a few levels of governmental regulation to get to some semblance of Business Security, but no longer. Litigation is king, and even that has diminishing returns in this day and age of the "international mystery man", more commonly known as the C.H.E.W. factors.
Standards, people. And the lack thereof. We spend so much money investing on systems that will "protect" us from weaknesses that should have already been vetted in the actual application it is no wonder each and every industry is overwhlemed with thousands of vendors touting the latest and greatest solution to combating <insert APT here> in your enterprise. Focus on the root causes. Awareness and coding standards. Develop them. Enforce them. Don't buy software from vendors who aren't an active contributor to such standards, etc. I realize this is as much of an uphill battle as complying with some of the regulatory standards but at least it would actually make an impact.
Just be, as good infosec professionals strive to be, proactive about it. Don't be complacent and allow a bunch of aging congressmen who aren't really sure how to turn on their "tweeter" be responsible for developing another completely erroneous and uneffective infosec regulatory compliance standard just because we can't collectively troubleshoot root cause issues and become a community dedicated to actual problem solving, debugging and solutions.
Thursday, February 16, 2012
My BYOD musings at ETech
I was asked to give a talk this past Monday for the ETech convention (focused on K-12) in Columbus OH. I did my best to politely let our sponsors know that I would not participate in regurgitating vendor marketecture and FUD (see Replacing FUD), that is what vendor reps are for. Instead I put together a discussion around understanding the Risks of the BYOD (BYOD == BYOWMD - Weapons of Mobile Destruction, credit to whomever tweeted that the other day, I searched but couldn't find it again), the current business drivers, the ramifications and a roadmap to follow if your organization is thinking about allowing users to bring their own weapons onto your network. Great participation and dialogue, which i love, and thanks to all who attended and participated in the discussions.
Some very interesting take aways, mostly specific to the K-12 vertical
Some very interesting take aways, mostly specific to the K-12 vertical
- Not a single person in the room had ever seen a single line item for security in an OSFC bid (not surprising)
- IT resources are streched beyond capacity (not surprising)
- Educators are usually not aware how much access they actually have, and many times don't care once that is explained (interesting)
Subscribe to:
Posts (Atom)