tag:blogger.com,1999:blog-52654513997207424902024-03-13T19:44:05.413-07:00Telic ThoughtsTelic Thoughts about Information Security.
The official home of Telic Consulting.Unknownnoreply@blogger.comBlogger24125tag:blogger.com,1999:blog-5265451399720742490.post-6953490407704344372013-08-30T14:24:00.002-07:002014-02-26T13:17:24.697-08:00Splunking SAP<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-TPSKstFXn7A/UiD5OuiLytI/AAAAAAAAAJA/s6Tmgl5cZ8E/s1600/armadillo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-TPSKstFXn7A/UiD5OuiLytI/AAAAAAAAAJA/s6Tmgl5cZ8E/s320/armadillo.png" /></a></div>
We are pleased to announce the general availability of Armadillo v 4.0 today. Armadillo is a Virtual Appliance that allows you to collect machine data from your SAP landscape and feed it to Splunk. Essentially it's Splunk for SAP. Initially conceived in 2008, it has primarily been an internal project, however we've decided to make it available. Armadillo can collect logs, traces, config parameters, alerts and much more.
If you are interested in evaluating Armadillo for your organisation you can contact us via <a href="mailto:splunk@telic.co.za">email</a>.
Let us know what you think.<br />
<br />
<u>Update 26/02/2014</u> Armadillo v 4.2 <a href="http://bit.ly/1dAGOx6" target="_blank">download</a>, <a href="http://bit.ly/1k9KfCH" target="_blank">check sums</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-45209499145092650092013-05-22T04:48:00.000-07:002013-05-22T04:48:46.478-07:00Rethinking Defense Strategies
The <a href="http://www.itweb.co.za/media/jukebox/SecuritySummit2013/Marinus%20van%20Aswegen.pdf">slides </a>and <a href="http://www.itweb.co.za/media/jukebox/SecuritySummit2013/Marinus%20van%20Aswegen.mp3">audio </a>from my ITWebSec presentation is on-line. Links to the other talks can be found <a href="http://www.itweb.co.za/index.php?option=com_jukebox&view=category&id=755:security-summit-2013">here</a>.
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-85451271385480332152013-04-20T14:13:00.000-07:002013-04-20T14:13:32.024-07:00ITWeb Security Summit 2013It's that time of the year again and the ITWeb Security Summit is just around the corner.
I will be speaking on defense strategies, see you <a href="http://www.itweb.co.za/index.php?option=com_content&view=article&id=58700&Itemid=2824">there</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-75676030232138088472012-05-24T07:56:00.003-07:002012-05-24T07:56:39.338-07:00ITWeb Security Summit 2012 ContentThe slides and audio from the summit have been <a href="http://www.itweb.co.za/index.php?option=com_jukebox&view=category&id=622:security-summit-2012">posted</a>. I haven't had a chance to listen to my audio, be warned my slides probably won't be to helpful without it.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-64147616267259734902012-05-03T04:56:00.002-07:002012-05-03T05:33:33.390-07:00ITWeb Security Summit 2012I'll be presenting on SAP security at the <a href="http://www.itweb.co.za/index.php?option=com_content&view=article&id=48442&Itemid=2506">ITWeb Security Summit</a> on the 15th of May. If you are interested in Security Engineering or SAP, come say hello.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-35488152927779782672012-02-06T23:31:00.000-08:002012-02-07T00:14:26.599-08:00ZaCon III PresentationRather late than never, I've spotted my ZaCon talk on the the <a href="http://www.discussit.co.za/index.php?option=com_content&task=view&id=327&Itemid=79">DiscussIT</a> and <a href="http://vimeo.com/30695342">ZaCon Vimeo</a> feed. The DiscussIT audio feed contains the Q&A.<br />
<br />
<iframe src="http://player.vimeo.com/video/30695342?title=0&byline=0&portrait=0" width="400" height="300" frameborder="0" webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe><p><a href="http://vimeo.com/30695342">Picking up stones behind broken windows</a></p><br />
Comments welcome.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-19977004648180137622011-08-29T00:11:00.000-07:002011-08-29T00:11:04.759-07:00ZaCon IIII've just received confirmation that my abstract has been accepted, I'll see you at <a href="http://www.zacon.org.za/zacon3/cfp.txt">ZaCon III </a><br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-36632826393422384592011-02-17T06:49:00.000-08:002011-02-17T06:50:37.775-08:00Authentication Concept MapI've put together the following Authentication (AuthN) concept map.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-a4Qxtcg0rec/TV01FzBKTYI/AAAAAAAAADs/di4kdadpPS4/s1600/authentication.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="185" src="http://1.bp.blogspot.com/-a4Qxtcg0rec/TV01FzBKTYI/AAAAAAAAADs/di4kdadpPS4/s320/authentication.jpg" width="320" /></a></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-78358792408750832622010-09-04T04:09:00.000-07:002010-09-04T04:09:24.768-07:00Data VisualizationOne of the most useful ways to communicate or understand information is to <a href="http://www.ted.com/talks/lang/eng/david_mccandless_the_beauty_of_data_visualization.html">visualize</a> the <a href="http://www.ted.com/talks/lang/eng/hans_rosling_the_truth_about_hiv.html">data</a>. In security this is vital due to the sheer volumes of data you often have to contend with i.e. from the <a href="http://secviz.org/">secviz</a> community.<br />
<br />
Splunk can enable you to quickly find and parse data, however you often need to send the data to something like <a href="http://www.graphviz.org/">graphviz</a> so that I can see it.<br />
<br />
I've written an app that adds a new search command to Splunk that will enable you to generate a graph from your search data.<br />
<br />
<br />
* | viz field1=ip1 field2=ip2 label=proto flatten=true file=/tmp/network1.png<br />
<div class="separator" style="clear: both; text-align: center;"></div> * | viz field1=ip1 field2=ip2 label=proto flatten=true file=/tmp/network2.png rankdir=RL<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_GfayVtw8z_s/TIIl1GQ4tMI/AAAAAAAAADc/i_Crjyb-K4Y/s1600/network2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/_GfayVtw8z_s/TIIl1GQ4tMI/AAAAAAAAADc/i_Crjyb-K4Y/s640/network2.png" width="172" /></a></div><i><span class="Apple-style-span" style="font-style: normal;"><br />
</span></i><br />
<i>One of the nice features is that you can add graphviz options directly to the command i.e. rankdir=RL</i><br />
<br />
The app can be obtained via <a href="http://github.com/marinus">http://github.com/marinus</a>, comments & patches are welcome.<br />
<br />
<br />
<div><br />
</div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5265451399720742490.post-7986118256460960562010-07-26T13:50:00.000-07:002010-07-26T13:50:43.326-07:00Design Detection Heuristics<div class="separator" style="clear: both; text-align: center;"></div><br />
<a href="http://en.wikipedia.org/wiki/Benford's_law">Benford's</a> law provides a useful heuristic to detect data that has been produced by a person. This is very useful to detect <a href="http://www.journalofaccountancy.com/Issues/1999/May/nigrini">fraud</a>, tampering, <a href="http://www.newscientist.com/article/mg20227144.000-statistics-hint-at-fraud-in-iranian-election.html">vote rigging</a> and other activities where one needs a little help. It appears thought that the application of Benford's law is more of an art than a science and rather than being the smoking gun one would like, it serves as the starting point for an investigation or a trigger for caution.<br />
<br />
I've developed a Splunk App that adds a new command to the Splunk search language that calculates the first digit distribution, which can then be used to graph the field of interest.<br />
<br />
<i>* | benford field=price | table digit price benford</i><br />
<br />
Other digits can be selected as follows<br />
<br />
<i>* | benford field=price digit=2 | table digit price benford</i><br />
<i><br />
</i><br />
Here's some sample transactions I generated<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_GfayVtw8z_s/TE3x_6r-LaI/AAAAAAAAACs/_2FJ_rkOznA/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/_GfayVtw8z_s/TE3x_6r-LaI/AAAAAAAAACs/_2FJ_rkOznA/s320/1.png" /></a></div><div class="separator" style="clear: both; text-align: left;">The benford command will calculate the distribution of the first digit and produce a table, which can be graphed.</div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_GfayVtw8z_s/TE3yXFUk1BI/AAAAAAAAAC0/kaC4FY5lJJM/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/_GfayVtw8z_s/TE3yXFUk1BI/AAAAAAAAAC0/kaC4FY5lJJM/s320/5.png" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="text-align: left;"><br />
</div><div style="text-align: left;"><br />
</div><br />
The following graph illustrates the digit distribution compared to the benford distribution.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_GfayVtw8z_s/TE3yrHalchI/AAAAAAAAAC8/1Nd2XjREPeM/s1600/4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br />
</a><a href="http://1.bp.blogspot.com/_GfayVtw8z_s/TE3yrHalchI/AAAAAAAAAC8/1Nd2XjREPeM/s1600/4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/_GfayVtw8z_s/TE3yrHalchI/AAAAAAAAAC8/1Nd2XjREPeM/s320/4.png" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="text-align: left;"><br />
</div><div style="text-align: left;">The following graph was created using real transactional data.</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_GfayVtw8z_s/TE3zSiMO4tI/AAAAAAAAADE/GUaG-oq4NDw/s1600/9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/_GfayVtw8z_s/TE3zSiMO4tI/AAAAAAAAADE/GUaG-oq4NDw/s320/9.png" /></a></div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5265451399720742490.post-28493288580346167332010-02-26T13:38:00.000-08:002010-03-04T23:43:06.439-08:00Splunk & Dynamic Meta Data<span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">Splunk is infinitely configurable when it comes to consuming data produced by applications or devices. However one of the concepts I've been trying to get my head around configuration wise is the dynamic assignment of meta data. I still don't have a good working model.</span></span><br />
<div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">Why? Well It's very useful to add context to events, for example if I'm indexing syslog data it could be very helpful to add additional key value pairs admin=bob, location=central. When you hit events at search time I can use these keys without employing any search magic.</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">> sourcetype=syslog failure | dedup admin</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">The reason you want to add the keys as meta data rather than just appending the keys to the actual raw event is that it messes with the integrity of the event not to mention it's readability. </span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">Prior to 4.x you could get smart with the <a href="http://www.splunk.com/base/Documentation/latest/Admin/Assignmetadatatoeventsdynamically">header</a> ***SPLUNK*** but it's now been relegated to the sinkhole.</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">Since I'm in a position to mangle events before they get indexed, I tried to append a line containing the keys and used a transform to extract the keys as meta data. </span></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;">[sysadmin]</span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"></span></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"></span></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px;"><div>REGEX = sysadmin=(\w+)</div><div>FORMAT = sysadmin::$1</div><div>WRITE_META = true</div><div><br />
</div></span></span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: 13px;">This worked, however trying to remove the key(s) after extracting them failed dismally.</span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: 13px;">[clean]</span></div><div><span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"><div>REGEX =(?m)(.*)sysadmin=\w+$</div><div>FORMAT = $1</div><div>DEST_KEY = _raw</div><div><br />
</div><div>Ironically both transforms work but not at the same time. They appear to be mutually exclusive and I suspect my cleaning transform should be sending it's output to another queue.</div><div><br />
</div><div>I also tried to use the new <a href="http://www.splunk.com/base/Documentation/latest/Admin/Anonymizedatawithsed">SED</a> command to cleanup after transformation, however this didn't work either since it appears transforms are processed after SED commands.</div><div><br />
</div><div>The Splunk header may be useful here since the monitor will remove it once it has evaluated it. So you could specify your meta keys, which Splunk will ignore, collect and index them with a transform. The monitor will then remove the line without any further config. This is obviously not an option but it will do the job.</div><div><br />
</div><div>In my discussions with Splunk-a-nista's I've noticed that they struggle to see why it would be useful to do this during index time and I've been advised to try all kinds of search time voodoo to try and achieve the outcome I'm looking for. I suspect the reason for this is that people are use to working with other peoples data, in this case you sit between the producer and the consumer and have the opportunity to enrich events with additional context.</div><div><br />
</div><div>Comments welcome.</div><div><br />
Posted to the <a href="http://www.splunk.com/support/forum:SplunkAdministration/4080/13385">Splunk Forum</a><br />
<br />
========= Update 5/03/10 ===========<br />
<br />
The scheme works, it just relies on the fact that you can sequentially process transforms.<br />
The tricky part is the cleanup, it's quite easy to trip yourself up with the multiline regex.<br />
<br />
<br />
[clean]<br />
REGEX=(?m)^((.*[\r\n]+)+)key1.*<br />
FORMAT = $1<br />
DEST_KEY =_raw<br />
<br />
<br />
<br />
</div></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-26165188245827155092010-01-25T06:14:00.000-08:002010-01-25T06:14:56.577-08:00Goodbye RSS, welcome TwitterOver the last year I've been trying to reduce the amount of information I touch on a day to day basis and consequently I've been avoiding Twitter. It was in vain, good bye RSS! You can follow my telic thoughts on <a href="http://www.twitter.com/marinusva">marinusva</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-15921168859821456692009-11-20T13:27:00.000-08:002009-11-20T13:30:28.951-08:00ZACON09See you at <a href="http://www.zacon.org.za/">ZaCon</a> tomorrow. Twitter <a href="http://twitter.com/search?q=%23zacon">feed </a>on #zacon.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5265451399720742490.post-40757263348738261162009-09-23T02:42:00.000-07:002009-09-23T02:48:11.977-07:00Illustrated guide to AESJess Moser <a href="http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html">posted</a> the most awesome and entertaining illustrated guide to AES.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-31620573410239603782009-09-17T04:09:00.000-07:002009-09-17T04:12:24.493-07:00ZACON09Looks like we finally have a <a href="http://zacon.org.za">conference</a> for the people by the people.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-78776143713660843592009-07-07T03:53:00.000-07:002009-07-07T04:09:37.883-07:00ISSA 09I spoke this morning about secuirty non innovation at the <a href="http://www.infosecsa.co.za/index.html">ISSA</a> 2009 conference. The purpose of the presentation was to position security architecture as a support for business innovation. You know that SOA and BPM initiatived didn't ship with security included in the box, right? For those interested in the introduction video you can grab it from <a href="http://www.public.iastate.edu/%7Emcleod/didyouknow">here</a>.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-5265451399720742490.post-13836966386611489712009-06-01T07:45:00.000-07:002009-06-01T11:21:54.514-07:00DiscussIT PodcastStephan Buys and myself were recently invited to come and chat about <a href="http://www.splunk.com/">Splunk</a> on the DiscussIT Security Pubcast. Stephan has some really solid delivery experience and works for <a href="http://www.exponant.com/">Exponant</a>, the local Splunk partner in South Africa. I got to share a little about our forth coming SAP application. The podcast can be found <a href="http://www.discussit.co.za/index.php?option=com_content&task=view&id=91&Itemid=1">here</a>.<br /><br /><span style="font-style: italic;">I noticed that they posted the wrong link for the mp3, you can grab the mp3 from </span><a style="font-style: italic;" href="http://uk.mydigitallife.co.za/_media/_audio/itsp/pce11.mp3">here</a><span style="font-style: italic;">.</span><br /><br />See you at Splunk live in <a href="http://www.splunk.com/goto/SplunkLive_Johannesburg_Jun09">Johannesburg</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-85616701918099751122009-04-20T02:03:00.000-07:002009-04-21T01:11:23.127-07:00Virtualization CIO round tableI see the CIO round table for <a href="http://www.brainstormmag.co.za/index.php?option=com_content&view=article&id=2160:virtual-disruption&catid=45:in-depth-analysis&Itemid=88">April</a> is now online. The usual fun was had, just a pity that there's not enough space to capture all good talking points.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-82919577454932034452009-03-20T05:18:00.000-07:002009-04-21T01:12:27.685-07:00Risk CIO round tableI participated in a CIO risk round table last year, I see the <a href="http://www.brainstormmag.co.za/index.php?option=com_content&view=article&id=207&catid=45:in-depth-analysis&Itemid=88">article</a> is now online. Hat tip to Maverick for hosting yet another fun event.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-5265451399720742490.post-91097552513739414832009-03-16T01:29:00.000-07:002009-03-16T02:37:17.334-07:00Where's the Intelligence?One of the most crucial and overlooked areas in information security is intelligence gathering. Let’s face it the guys who do this well are physical security practitioners. They know if they get this wrong someone could end up dead.<br /><br />Intelligence informs us to make better risk management decisions. It buys us time and gives us an opportunity to react. Without it we end up making bad and potentially harmful decisions not to mention mistakes.<br /><br />We've gotten better at identifying our assets and modeling threats, however we've made little head way in dealing with threat agents and the threats that they pose. They become vague and generalized assumptions.<br /><br />In some sense rather than dealing with them, we've tried to outsource the problem with technology i.e. IDS, IPS, DLP, SIEM, etc. At best we now known when something bad happened but only if we were looking and if we knew what to look for. Problem is we can’t see much anyway because we’ve been encrypting anything that moves, oops! At least we'll be getting fewer alerts to action and the management reports are all green now.<br />But can we collect intelligence about threat agents and threats within the organization? Yes and we’ve been doing a good job in the application space for ages with behavioral systems i.e. fraud detection. But what about the rest of the stack? This has proven to be very problematic as anyone who’s ever tried to build an all encompassing log management system will tell you.<br /><br />Indexing log events across the stack is a promising new paradigm. Although not a security vendor, <a href="http://www.splunk.com/">Splunk</a> have developed a technology that does just that. If you could <a href="http://www.splunk.com/videos">index</a> your landscape you could now ask it very interesting questions for example “show me all the users who accessed the network but didn’t log on via RAS or the access network”. We're literally sitting on volumes of useful intelligence that end up on tape.<br /><br />We've been having a lot of fun with Splunk recently, we've developed a connector for SAP NetWeaver. It's going to be interesting to see how this new paradigm is exploited by security vendors and pracitioners.<br /><br />Drop me an email at <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_GfayVtw8z_s/Sb4dVO_acrI/AAAAAAAAABw/X2dqzu2KTzQ/s1600-h/email.png"><img style="cursor: pointer; width: 140px; height: 20px;" src="http://3.bp.blogspot.com/_GfayVtw8z_s/Sb4dVO_acrI/AAAAAAAAABw/X2dqzu2KTzQ/s320/email.png" alt="" id="BLOGGER_PHOTO_ID_5313716860982293170" border="0" /></a> if you are interested in playing with the SAP NetWeaver application.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-5265451399720742490.post-34404129782501817522009-03-13T07:30:00.000-07:002009-03-13T07:58:02.213-07:00You don't win a war by defending yourself<a href="http://rationalsecurity.typepad.com/blog/2009/03/incomplete-thought-offensive-computing-the-empire-strikes-back.html">Chris Hoff</a> recently made this observations in a post about offensive computing and he's right. This is akin to carrying a gun in the real world to defend yourself, however this doesn't translate well into the wild west we call the internet. Fighting back can have significant unintended not to mention legal consequences.<br /><br />The Metasploit site recently became the <a href="http://blog.metasploit.com/2009/02/pathetic-ddos-vs-security-sites.html">victim</a> of a petty DDOS attack. Now the last person you want to DDOS is HD Moore and co. An amusing side effect though was that the victim could redirect the attack and basically flood anyone they wanted to by changing their own DNS entries. In theory they could have redirected the attack at individual attackers in the botnet systematically knocking them off the net, but they wouldn't know who was on the receiving end. Fighting back would be risky.<br /><br />You may also find yourself on the wrong side conscripted into a <a href="http://www.goodgearguide.com.au/article/280025/political_cyberattacks_militarize_web">fight</a> you never knew or cared about. With aging and overloaded plumbing (<a href="http://www.kb.cert.org/vuls/id/800113">dns</a>, <a href="http://www.google.co.za/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwww.renesys.com%2Ftech%2Fpresentations%2Fpdf%2Fblackhat-09.pdf&ei=ZXK6SZ21DeTSjAfYyZGYCA&usg=AFQjCNEU0pXn0YGatlhKW-3HR5-e8NUuEQ&sig2=b0JUEMNvWH_1eusfO3xETQ">bgp</a>, etc) it's hard enough to play fair. Guess it's time to layout the <a href="http://labrea.sourceforge.net/labrea-info.html">tar pits</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-21435127973176480192009-02-25T05:31:00.000-08:002009-02-25T05:51:05.374-08:00Software security is an engineering problemDesigning software that is secure is a difficult prospect at the best of times. Defenders need to know what(assets) they need to protect and from whom (threats). Defenders need to ensure that all the holes (vulnerability) are patches, all the time with their limited budget, people & legal constraints. Attackers on the other hand need only fine one hole, often have ample time and opportunity. There's an asymmetry in resources.<br /><br />Well it's not always easy to find your assets or know how to identify them. We only need to look at the GFC (Global Financial Crisis) to see the impact of not being able to identify and locate actual hard assets.<br /><br />It's not easy to know whom you need to defend against. You want to make sure you have the right defenses in the right places where it will have the maximum bang for your buck. What about the people you trust, like <a href="http://www.bankinfosecurity.com/articles.php?art_id=1200&opg=1">Heartland</a>? More than 500+ financial institutions now impacted at last count.<br /><br />How do you find all the holes? Do you know where to look? If the <a href="http://blog.fortify.com/blog/fortify/2009/02/20/SHA-3-Round-1">experts</a> who are creating the next generation of crypto routines can't get it right, what hope does your developers have?<br />Not to mention all the <a href="http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html">interesting</a> ways your code and applications can be abused in ways you never thought possible.<br /><br />Throwing technology (Firewalls, SSL, VPN, DLP, Anti Virus, etc) at the software problem isn't going to solve it either. It's an engineering problem, you need to build security in!<br /><br />No wonder some of the best security guys I know have an engineering background.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5265451399720742490.post-71481951047572614682009-02-18T01:54:00.000-08:002009-02-18T01:57:12.590-08:00Is the CIA model still relevant?When one thinks of securing information, practitioners will recite the standard CIA mantra. We need to protect information from confidentiality, integrity and availability threats. Some call these security primitives, attributes, goals, objectives, aspects, qualities, threat taxonomy, etc.<br /><br />Since there is no clear consensus on this matter (as far as I can tell), I’ll just refer to them as threats to information assets that the owner needs to protect against. Is the CIA model still relevant though given today’s evolving threats?<br /><br />Consider the following scenario, Bob the developer is in financial trouble and needs a quick “loan” to settle some debts. Lucky for him he has a transaction account with his employer, a bank. Using a service account, he logs on the transaction database and makes a small deposit into his account by altering his bank balance (the asset).<br /><br />Looking at the CIA model we find that there was no breach of confidentiality, the balance has not been disclosed. The Integrity of the database is intact, redundancy checks pass. The database with his balance is still available, so he runs down to the street and makes an ATM withdrawal.<br /><br />Did the CIA model consider these information threats?<br /><br />Parker in his seminal work Fighting Computer Crime, proposed a new model that extended the CIA triad by introducing three additional non overlapping (atomic) attributes or threats.<br /><br /><ul><li>Confidentiality was extended to include Possession/Control. An adversary may steal a memory stick with you private key on it, but they may not have your pass phrase to use it. The confidentiality has not been breached but your adversary now has possession and control of your information asset.</li><li>Integrity was extended to include Authenticity. An adversary may gain unauthorized access to database and update a table. Internal and external consistency checks (integrity) will pass but table now contains tampered data that’s not authentic or trustworthy.</li><li>Availability was extended to include utility. A user may encrypt their private key with a pass phrase. If they forget their pass phrase the usefulness (utility) of the information asset is lost. The information is still available but not usable.</li></ul><br />M.E. Kabay from Norwich University an advocate of this model calls it the Parkerian Hexad. I really like this model since it clearly delineates information threats and I’ve found it particularly helpful in my work.<br /><br />I’m amazed though how little traction this has gotten within the security community.<br /><br />Microsoft as part of the SDL has opted for the STRIDE model. A quick comparison between STRIDE and CIA/Parkerian Hexad shows how they overlap.<br /><br /><ul><li>Spoofing primarily deals with authentication, no overlap.</li><li>Tampering overlaps with Integrity.</li><li>Repudiation partially overlaps with Authenticity.</li><li>Information Disclosure overlaps with Confidentiality.</li><li>Denial of Service overlaps with Availability.</li><li>Elevation of privilege primarily deals with Authorization, no overlap.</li></ul><br />Although useful, I feel that STRIDE conflates information threats with services like authentication and authorization. We missed possession/control, authenticity and utility.<br /><br />To further complicate things, Dave Piscitello proposed another model that Bruce Schneier really <a href="http://www.schneier.com/blog/archives/2006/08/updating_the_tr.html">liked</a>.<br /><br /><ul><li>Authentication (who are you)</li><li>Authorization (what are you allowed to do)</li><li>Availability (is the data accessible)</li><li>Authenticity (is the data intact)</li><li>Admissibility (trustworthiness)</li></ul><br />Should we be surprised that our customers are confused when we struggle find consensus on the basics?<br /><br />Dave's extended model goes beyond information threats and deals with identity, trust and access control. I like to think of these elements as services that control access to information assets.<br /><br />My approach is to start with assets. First you have to figure out what information assets you have, and what threats you want to protect them from. You should also have an idea of how important they are to you and what the impact would be if certain threats were realized. Use Parker's model to evaluate threats and set your objectives.<br /><br />Information is useless if you can't handle and process it. Consider how users and systems will interact with information.Threat modeling can really help you here. I'd suggest you go beyond STRIDE and including threats from Parker's model. It really needs a better name, it sounds weird to say Parkerian Hexad all the time. Dave's extended model can act as a heuristic here to ensure completeness.Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-5265451399720742490.post-28270247097937299852009-02-16T04:13:00.000-08:002009-02-16T04:53:58.977-08:00Threats, vulnerabilities and riskRecently a customer asked me where they should focus their security efforts, should they focus on vulnerabilities or threats? I responded by asking what's the difference between threats and risks? I don't think security practitioners do themselves any favours when it comes to communicating concepts like risk and it shows. If we truly believe that risk management is at the heart of information security we must be able to clearly delineate concepts and show how they relate to each other. The following diagram illustrates how I like to think about risk.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_GfayVtw8z_s/SZlguACbrzI/AAAAAAAAABo/BN5MhCw4TgM/s1600-h/risk.jpg"><img style="cursor: pointer; width: 400px; height: 229px;" src="http://3.bp.blogspot.com/_GfayVtw8z_s/SZlguACbrzI/AAAAAAAAABo/BN5MhCw4TgM/s400/risk.jpg" alt="" id="BLOGGER_PHOTO_ID_5303376379605921586" border="0" /></a>Unknownnoreply@blogger.com0