We have a problem in the security space.
It is widely touted that marketing and ill-informed managers and non-technical C-levels are looking for silver bullets when it comes to computer security. Most security experts will respond that there is no silver bullet. In fact, we say this a lot even though no one is truly arguing this topic…at least not anyone important or knowledgable about our industry. We seem to just like saying it amongst each other.
Now, speak to security researchers about wireless security and the use of WEP. Some will get very vehement in saying that WEP is broken and useless and get rather vicious in deriding anyone who says they use WEP for their home wireless network.
See the problem here?
What is disturbing is the ability for us to completely reject a countermeasure or protection as worthless just because it is not perfect, yet we reject the concept that there is a perfect countermeasure. In the above case, WEP may have holes and be easily broken to someone with the knowledge, but it still has value because it can block a large group of unskilled attackers. IDS may be circumventable and may not catch everything, but it still has value to catch the low-level stuff and mass attacks or worm traffic and such.
We should always be careful not to think there are silver bullets in security but yet fully reject bullets that are 25% silver. Every little bit that we can raise the bar for attackers is a little bit more security we will gain.

The weather in the midwest has just recently taken a dip into the cold ranges with plenty of wind added in. Walking to my car for lunch this afternoon found me thinking about analogy for how networks are planned and built.
Think of a child’s toy closet. At some point, the closet does not have much in it, maybe just whatever the parent puts in there, most likely some child-related paraphenelia like cribs, strollers, and other things not very interesting to children but necessary for initial childcare. But as the child grows up and time moves on, things are acquired and put away. Maybe some new toy franchise comes along and over the course of 2 years the child builds up a nice collection of toys which then get shoved into the closet wherever they can fit. One weekend a television ad book-ended by a favorite cartoon prompts a new impulse purchase later that day for some rather unwieldy toy aircraft that gets pushed into the closet as well. Perhaps a series of books and shoes get piled in there. No child truly likes shoes and clothes, so they tend to get thrown in with even less regard then normal, falling on the floor of the closet or across various toys.
This slow building of toys and items fitted into various nooks and crannies and sometimes just plain thrown in eventually make finding the good toys a little more difficult. In fact, some toys may end up forgotten about for years, sitting in a dark corner along with a few unwanted guests: shells of crickets and other insects. And when a wanted toy is needed, rummaging through the mess to pull it out while hoping the mountain of everything else doesn’t topple out on top of it can be a harrowing experience. And we all know that the subsequent shifting of items will mean placing it back in the closet later will find it in a new place tomorrow. If other junk does fall out, chances are it is all just pushed on back inside in whatever fashion it can fit.
This may eventually mean that friends who stay the night can get away with snatching a toy without anyone knowing it. Or may perhaps wreak havoc with pulling our precariously perched parcels only to topple mounds of others.
And what about those toys received over Christmas and birthdays that are sometimes unwanted and unasked for. The useless junk that accumulates due to what other people thought you might make use of, or trendy toys from years past.
Ask any parent how the image of a child’s toy closet left uncleaned for 4 years makes them feel.
The only way to combat the closet trash mess is with regular cleaning. Take everything out, and put it all back while culling the unwanted.
Networks are similar. Over time, they can become completely unwieldy entities with lost applications lingering in dark corners, unwanted guests never detected, a mish-mash of interconnected parts that depend on each other to avoid falling over into a mess when in fact each can stand on their own if but for a little bit of planning. And how can you truly plan for the future when there is no clue on what the next hot toy will be, or the next ad that is seen on television with that inpulse “must have this now” item?

There have been a load of posts and discussion on high-profile blogs and mailing lists about the value of IDS/IPS. Richard Bejtlich, Thomas Ptacek, Alan Shimel, Amrit, and others such as the Daily Dave have all chimed in along with their respective gaggle of comments. Lots of people get pretty vehement and passionate about this subject.
An IDS and an IPS are two wholly different things. Any discussion needs to start by laying the groundwork on which one is being talked about. The next step is to describe how the discussors define an IDS/IPS. Lastly, review their respective expectations of those IDS/IPS devices.
I really like Alan Shimel’s descriptions of the “trough of disillusionment” and “peak of inflated expectations.” I really think there are some skewed expectations of what an IDS and IPS are supposed to do. Of the two devices, I really believe IPS is the one that has had such high expectations that it will not be delivering satisfactorily, ever. IDS, on the other hand, has been mistaken to be IPS very often.
To me, an IDS is lumped with other functions such as logging, syslog analysis, intrusion response, snmp monitoring, and other network/performance monitoring. All of these functions tend to detect or record, providing information or alerts during and after the fact. They are passive technologies that do not take specific action beyond ringing bells and blowing whistles.
IPSs are in the same category as firewalls, antivirus apps, spyware cleaners, web filtering proxies, and spam gateways. They take IDS one step further by actually performing some action based on the alerts, from changing firewall rules to dropping traffic to throwing out TCP resets. As such, they fall into the problem of stopping things that should be allowed, or allowing things it didn’t know where problems.
IDS/IPS functions are not on my list of the top things to have in a corporate or home user environment. An IDS can detect and alert to events happening that may or may not be malicious or problems. This is certainly a valuable function, but not so valuable as to trump very many other things. IDS technologies tend to be the pet projects of geeky admins that have some time on their hands. The rest of us tend to have other fires that need putting out over babysitting an IDS/IPS device.
Personally, I like IDS for the knowledge and monitoring it can provide about the network. And that is what the real expectation of an IDS should be. The information it provides to better inform those who perform subsequent actions, but only in correlation to how well the device, network, and tuning is understood. IPS devices I can do without unless the environment is so huge that it needs automated responses, but even then the environment is likely so huge that only a handful of IPS-enabled (active) rules will be enabled.
There is a challenge floating around about whether there are any instances where a company was “saved” (benefitted) from having an IDS/IPS device in use. I have not had one personally, but I can certainly think of situations where someone might be throwing internal exploits at LAN systems in an attempt to break into a system, or maybe a worm trying to propogate over the network. An IDS can alert on an otherwise possibly overlooked situation and flag it for investigation. However, as much as an IDS can be helpful, every other layer of technology steals a little bit of its thunder. Network or even host-based firewalls and antivirus will lower the value of the IDS because a lot of malicious stuff is stopped before it traverses the network.
Think of it this way. An IDS/IPS is like a home security alarm system. The IDS will log attempts to break in, possibly track where the thief moves throughout the house, maybe even determining the method of breakin, and will alert the owner that a break-in is occurring and has occurred. An IPS does all of this, but also rings a loud alarm through the house, turns on all the lights and a spotlight, seals away the family valuables, locks all the entry points, and lets loose dogs to chase the intruder away, actively preventing the success of the attack. In light of this analogy, both systems will have had a very valuable effect at some point (that is not to say the IDS/IPS tends to warn when even an insect alights on the window pane or that they don’t detect hispanic intruders…).
Update: More posts are popping up on this topic. The Digital Voice has chimed in as well, with a nice post and viewpoint. TechBuddha has some thoughts as well, about finding your own truths and relax a little bit when it comes to arguments like this. Sawaba at SecuriTeam chimes in.

In my previous post, one bullet point was brought up about physical security and computer security and Ira Winkler brought up that physical security is often welcomed while computer security staffers are often not liked. Why is this?
The biggest single reason is simply rooted in culture. At home and outside work, people use computers in their daily lives to do many, many things. From looking at maps for driving directions, popular news, entertainment, distractions, looking up information on a topic, meeting new people, remeeting old friends, and on and on. Computers are used at home in a variety of ways, many of which are not necessarily safe, ethical, or healthy.
Physical security is present to make sure people don’t go where they should not be going, etc. This is not necessarily bad for people as they are not being limited in a way that takes something they would have already had. They didn’t have that access anyway, so there is no loss. But when security imposes computer limits (or the technology imposes those limits), no matter the benefit to the company, those actions involve taking away what users would normally be able to do.
Another lesser reason is the presence of physical security and the smiles they can give. Unfortunately, computer security staffers can’t smile through the computer as user data flows by their gates. Thus it can be easier to get mad at the unseen people in the security cubes. Likewise, as part of the general masses, people feel a bit safer and unconsciously accept the security of physical security guards and locks much easier than they do technical security measures and limitations. (This is the only stable reason for most of the TSA regulations; they shallowly make people feel safer without being really all that effective once you start thinking about it.)

Ira Winkler from ComputerWorld has a rather controversial article up about the separation of ethics from computer security. This is IT journalism at its most typical: they can write about it, but they don’t know it. He does have some points, but otherwise he also has dubious claims.
There are a few things Ira conveniently leaves out or is not even aware of in regards to this subject.
1. The methods to detect, investigate, and enforce ethical behavior on computer systems utilize many of the same functions that computer security uses. This means there is a natural integration of the two. Computer security requires virus scanning and data/file inspection of some sort. Unethical copyright distribution will utilize similar tools and the same staff.
2. There is a tendency to generalize. If someone is visiting bad web sites that are unethical to visit inside the corporate network, there could be security implications. Too often, those same sites house malware and other bad things. This is just a tendency, but that is what computer security is about. It is not just 100% black and white. The twin goals of ethics and security help to fully dictate that those sites are offlimits and against policy. In short, why make two policies when they support each other?
3. If there are too many points to make when educating users on computer security and ethics, that is not an argument to separate the two entirely. It just means the education needs to be structured better to accomodate making only one or two points. Perhaps ethics can be split off during the education process, but this is simply not an a valid supporting argument. It would be difficult to teach users about email security, password complexity, phishing attacks, and proper data usage in the copy room at one time as well. So does that mean those should not be computer security as well?
4. What does Enron have to do with this discussion other than being an excuse to bring up a popular culture/media example?
5. What does physical security have to do with this argument? Yes, security staffers may be disdained for being those who mete our punishments, but it makes no sense in an argument to separate ethics and computer security. The argument would be to minimize our negative impact on users. Well, by that token, should we separate out incident response, since that tends to be negative? What about when a virus is detected on a machine and we have to go inform the user and slap their wrist for downloading it in their email and saving it? This argument makes no sense.
6. Ira would have been better served by not bringing up phishing attack examples and how those are mechanical in nature but ethical decisions are not as straight-forward. Tell that to the people doing studies on how difficult it can be to detect phishing websites. In fact, I would conjecture that most unethical behavior in a workplace is *easier* to determine than some of the “mechanical” computer security issues, especially for non-technical people.
The best part of the article is how Ira even attacks his own argument and makes no real effort to address it. The ending feels very bipolar like he had an argument, didn’t win, but then just moved on.
Now, all that said, there is merit to saying ethics should be separated in part from computer security itself. IT staffers may detect and report on unethical behavior, but ethics is still ultimately up to legal, HR, and corporate executives to determine. But that is not enough to say that ethics and computer security should be fully separate. There is too much at stake for business and security staff to try to fully separate these spheres in anything but a very large company that can have separate ethics staff. Even then, those teams will work closely together anyway.

Just wanted to again mention that Google Reader is amazingly awesome. It has certainly solved my problems with managing news sites, reading news daily, blogs, and rss feeds.
Google is doing something right with their “web 2.0” apps or pseudo-web 2.0 apps depending on whom you ask. I really appreciate the ability to look at my news sites from any system from any net connection. I think as the world becomes more mobile and people begin to have multiple computers (and devices) both personal and even counting their system at work, the freedom and demand to be able to access things remotely is going to increase dramatically. And it is not enough to push VPN technology and remote control solutions (all those RemoteToMyPCAnywhere sites can go to hell, really). In the end, the most-used apps are going to slowly creep towards being web-delivered just like webmail is. I can access Gmail from anywhere and get the same experience as if I were on my personal machine. I can do the same exact things from my Linux and Windows boxes, just by using a web browser.
Google has a good head-start here by identifying the most-used apps on computers, and attempting to replace them with web-driven alternatives. Email, IM, voip, Office, news (RSS), entertainment, and so on.
It is no longer about being able to roam from computer to computer in a corporate environment and have my own profile and settings and apps available. It is about roaming anywhere in the world and still having everything I need.

Thought for the weekend.
Microsoft wants to fortify its own operating system, Windows Vista. But will it be forced to keep the OS insecure because there is a big market for companies that secure Windows? Imagine the extreme. What if Vista were a highly secure OS? Would these companies curse Microsoft for putting out a good, solid product?
Talk about a bad situation…

Mostly posting this here just to save this link for myself. This is a nice list of some of the more dangerous things users do online. This is not everything, but hits many points, in order of descending severity:
– Clicking on email attachments from unknown senders
– Installing unauthorized applications
– Turning off or disabling automated security tools
– Opening HTML or plain-text messages from unknown senders
– Surfing gambling, porn, or other legally-risky Websites
– Giving out passwords, tokens, or smart cards
– Random surfing of unknown, untrusted Websites
– Attaching to an unknown, untrustworthy WiFi network
– Filling out Web scripts, forms, or registration pages
– Participating in chat rooms or social networking sites
Somethings I would add: participating in P2P or IM services at work; not evaluating information that they send out via email whether their audience should be reading it or not; purchasing and installing random devices on their computers (ipod, wireless APs, mobile handhelds…); and the list can go on…

The more I work in small-medium companies that act as ASPs (application service provider, i.e. we host servers that our clients use), the more I realize there comes a point where process outweighs getting things done.
Instead of fielding requests as they come in and just getting the work done, change management starts to tickle the back of the throat and more and more, documentation and process need to be invoked. When a request comes in, a process is begun to deal with that request and tie it into any other processes.
For example, an SSL renewal is not just an SSL renewal anymore. Not only does it need to take place on the web server, but the new SSL needs to be imported into our IDS/IPS to decrypt the traffic. While one person doing all of this can keep track of it, eventually as growth continues, multiple people doing these things means they may possibly get lost. Ack! …And this is one of the simple ones.
What makes all of this even more fun is the propensity for people to want to avoid documentation and process and change management. It slows things down and sometimes brings out some weaknesses in how people document and write and attend to detail. In fact, out of about 25 IT people I have worked with extensively, only about 4 have not heavily resisted these tasks (this includes.
This is kind of a reason I include a line on my resume below my college degree that states I have also have a background in “environmental sciences.” There is nothing like lab work in genetics, biology, physics, or chemistry to ground oneself in documenting observations and drawing valid conclusions which can be recreated and clearly conveyed to others. Having had an interesting 2.5 years of that work, it does make a difference when troubleshooting networks and documenting process.

I just have to say I think more blogs should email commentors on responses to their comments. Too often I make a comment that I’d love more dialogue about, only to never remember to hit that blog again until more news has buried what I commented about. I don’t like fire and forget blog comments…but I frequnetly forget to check back. I imagine I am not alone.
Then again, perhaps that would get spammy with lots of commentors…and that might be open for abuse as well.
Dang, well, the idea SOUNDED good… Hmph.

I love articles like this short bit about password security from eWeek because there are simple parts to them that I like and other parts that I really disagree with.
What I agree with: Yes, I truly think biometrics will continue to increase in widespread use, even down to individual systems. But unlike passwords, the simple use of these things can provide false positives or true negatives and will not reduce any dependency on help desks. In fact, help desks might be even more encumbered as fixing biometric logon issues is a bit more complex and dangerous than just resetting someone’s password.
Yes, I think single sign-on technologies should be focused on as much as possible, even though they tend to be a luxury for many IT departments as opposed to what just happens. But single sign-on technologies should not be confused with actual authentication technologies. They are separate entities.
And yes, users tend to write down their passwords just like people put spare keys under their car, under the doormat or nearby garden rock or on the back door frame.
What I don’t agree with: Passwords written down on paper are better than easy to remember passwords that are not written down, especially passwords that are too simple. While a complex password might be written down on paper next to a desk, an attacker still must have local access (either personally or through an insider) to the physical facility to read the paper. A simple password on a networked system can be guessed or cracked. So I find it dubious to dismiss passwords simply because they can be written down. For technical peope who are comfortable with passwords and password safety, they are just fine.
No IT help desk should complain about user password reset requests. That is why that business function is there, and any alternative is going to be more of a headache than verifying the user and resetting the password. This should not be an argument for alternative forms of authentication.
In the end, there is no 100% perfect authentication system, which is why I dislike articles like these which try to dismiss one because it is not 100% perfect, and market others (whether a new idea or just the same old rote from 2 years ago, like this article). Yes, passwords have issues and there are risks associated with any level of their use, but they are easy and are going to continue to be used for many, many years to come for a variety of things (although perhaps the highest security for information and perhaps corporate use may shift as higher order tech lowers in cost).

I am amused and irritated by regular news reports lately that come in one of two flavors.
First, the articles about how information disclosure occurred at an organization and that X amount of people were notified, a hotline set up, and a web site created with answers to common questions that the possible victims may have. While all of this is good and detailed, rarely is there any discussion on two things I most want to know: How did the attack occur, and what assurances are there that the information on the system was all that was exposed? My guess is that these are cloudy questions with even cloudier answers…which troubles me.
Second, articles that state an organization thrwarted or repelled a hacker attack. Ok, how do you know there was a hacker attack? Who was it? What did you do to thwart it? Was there even an incident at all? I guess if I wanted to drum up my IT team, I could spread word that when Snort gave an alert about a sendmail.pl exploit attempt against my server (captured in IIS logs) that doesn’t even affect anything on my server nor would ever potentially affect it because we don’t run sendmail, I can go ahead and raise the flags and drop confetti because my team…hell…*I* saved the day and thwarted a hack attempt!
As a technical individual, I am quickly requiring details, or it didn’t happen. Screenshots or it didn’t happen!

eWeek poses the question on whether the botnets have already won. Botnets are not new, but they have been hot news for the past year or so. Unfortunately, while technology likes to move quickly, and vulnerabilities appear and disappear even more quickly, botnets are a fact of life on the wire that is not going to go away any time soon. In fact, I firmly believe we’ve only just begun to see the power, effects, and changing landscape of the wire that botnets are catalyzing. The article mentioned is an excellent look at the situation.
Defending against botnets is difficult, if not even outright impossible right now. Traffic jamming at ISPs or even local networks is useless when the bots tunnel through common ports. Traffic inspection is useless when the bot traffic becomes encrypted or the attacks themselves are real traffic. Shutting down C&C servers is futile now that botnets can work with existing dynamic features on the Internet, can become smaller automous units, or just plain efficiently change servers in an instant. Centralized tracking, detection, and disinfection of bots is not cost-effective for anyone because many home users who are infected have no idea they are infected nor have any idea how to fix it without a lot of hand-holding. Besides, it is a common fact that securing every system on the Internet is just not going to happen. Coordinating efforts across nations and continents is not supportable at this time, and even if an effort got underway, laws are still far behind technology. Botnet code can be reverse engineered and attacked directly, but much like signature-based detection, is thwarted by even as little as a single bit change, let alone polymorphic code. And attempting all of these things is still tough to do in as lucrative and profitable a way as the attackers. The article even mentioned that some significant work is done by volunteers.
To strike up a poor analogy, imagine that cars are able to be controlled remotely (not all that far away considering we can monitor the status of cars now and unlock them from a central system or intall navigation systems), and I have a way to control half the cars in your neighborhood. What would happen if I have them all play demolition derby with your house? Imagine that some of them are unmanned, but some are manned with trapped drivers. You can build walls, attack each one with rockets, put mines up all over, build a basement they can’t get into, build fake houses so they may or may not get your real one…
So, what about beating botnets? Where are some of the weak points to attack? Well, first of all a botnet might be able to be wielded against a botnet, although to what aim, that is a bit unknown as are the ethical implications. However, it is only a matter of time before a government decides to have its own botnet for cyberdefense and attack reasons. Whereas so many simluations talk about targeted attacks and actual hacker penetrations shutting down systems, something as simple as a coordinated, specific DDoS attack by a botnet can stranglehold critical services. Ask any company that has gone out of business due to a sustained DDoS on their systems.
Botnets, in the end, are still controlled by one or a small number of skilled people. Those people need to be ferreted out and shut down or neutralized or brought to justice. While law enforcement is still largely powerless against foreign-based attackers, I can foresee a time when more secretive agencies or corporate-sponsored groups clash on the cyber battlefield as both attempt to protect their interests. Still, take out the people doing the intelligent coding…
Corporate IT security can move outward to protect employees even at home or on home networks. The real skill in cleaning infections and increasing security at work or at home still lie with IT professionals getting their hands dirty and educating users, even just a little bit. While corporate entities can do a decent job internally, so often we shy away from opening the doors to home support (and mostly rightly so…). It definitely would take a commitment from top management, but does make sense even from an HR perspective.
Better Operating Systems and security products for the home would be a step in the right direction, but will never be more than a variably-sized speedbump for botnets and attackers. Still, some protection is better than none, and a secure or less popular OS is better than putting oneself in the midst of the low-hanging fruit masses.
No matter how this plays out, the botnet war is worth watching. This is still only the beginning and is a major issue that few people want to talk about because of how debilitating it can be and how nearly impossible it can be to defend against or prevent. But this is a topic that will be shaping our security and maybe even our networking as a whole for the next ten years. Mark my words. 🙂

A recent SANS Handler Diary entry reminded me the importance of keeping at hand a list of The Questions that we should ask as IT and security professionals. I need to keep updating this list, as they will all likely be questions I will want to keep at hand throughout my entire career.
– If hard drive X were to die right now, could you confidently rebuild it using backups or other documented knowledge? This applies to any system from the most critical server to the least important spare system to any employee workstations.
– If incident X were to happen right now, what is your response procedure? Apply this to the most benign alert up to a major hacking incident that is right now being executed, successfully. Would you have an available audit trail?
– How do you know your network or systems are secure?
– How do you know that there are no rogue wireless access points giving access to your network (or that your users might be hopping onto nearby)?
– Are network diagrams, documentations, and inventory up to date? Include process documentation.
– If one of your users (CFO to call center ops) is specifically targeted by a 0day emailed exploit, how will they react? Is user education appropriate and is IT held in enough regard to have incidents reported?
– If a complete network audit were to be done now, what might you be surprised to see still in service, accessible, or configured? Yes, even networks need flushed and cleaned out and retooled regularly.
I hope to add more.

About 6 months ago I started delving into the world of podcasting and began to quickly try and figure out which computer security-related podcasts were worth the trouble to download and check out.
I never did find a groove with my checks and samples. I don’t have ipod-support in my car, and really don’t find myself just listening to them in the background while I do other things. If my car were more equipped, I may have checked into things more. I also didn’t have the habit of listening to them otherwise, or the time to download them and catch up or keep track of all of their release times. I don’t use iTunes for my own personal reasons (I would if I had a Mac), and none of the other downloaders were really all that excellent. Doppler was the best, but there was always that one odd podcast that Doppler couldn’t track and auto-download, which eroded the whole experience. As such, I just this weekend deleted all the old ones I had downloaded and have shelved the pursuit.
But now I see Chris Brunner did some of the hard work for me of culling out the less useful podcasts, and created a list of them on his own site. I need to update my own geek site links with a few of these new ones that I didn’t have, and check into trying to resurrect this habit pursuit. I’d love to keep up with security through this media as well as print news.