Monday, December 31, 2007

Sguil Status

One of you wrote recently to ask about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source Network Security Monitoring suite called Sguil. You noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last release of Sguil (0.6.1) occurred in February 2006. I can assure you Sguil is not dead. In fact, just last week I wrote an article for a new BSD magazine about installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor and server components of Sguil 0.7.0 (from CVS on FreeBSD 7.0.

To keep up with development read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil-devel mailing list and visit #snort-gui on irc.freenode.net.

I expect to see Sguil 0.7.0 released before 13 February 2008 to avoid hitting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two year mark.

Last Book Reviews of 2007 Posted

Amazon.com just published my five star review of Ajax Security by Billy Hoffman and Bryan Sullivan. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Ajax Security was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last book I read and reviewed in 2007. However, it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors' Black Hat 2007 talk and was thoroughly impressed and disturbed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security implications cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir skills to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 written word. Ajax Security gets cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job done.


Ajax Security is my Best Book Bejtlich Read in 2007 award winner. Amazon.com will soon publish my four star review of Geekonomics by David Rice. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I really, really liked Geekonomics, and I think all security and even technology professionals should read it. Why not give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book five stars cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n? The reasons are twofold: 1) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book fails to adequately differentiate between safety and security; and 2) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chapter on open source demonstrates fundamental misconceptions that unfortunately detract from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author's message. If you are kind enough to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
thoughts in this review in mind when reading Geekonomics, you will find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book to be thoughtful and exceptionally helpful.

It is important to remember that Geekonomics is almost exclusively a vulnerability-centric book. Remember that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "risk equation" is usually stated as "risk = vulnerability X threat X impact". While it is silly to assign numbers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se factors, you can see that decreasing vulnerability while keeping threat and impact constant results in decreased risk. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sis. Rice believes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 governing issue in software security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to reduce vulnerability.

The problem with this approach is that life is vulnerability. It is simply too difficult to eliminate enough vulnerability in order to reduce risk in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. Most real world security is accomplished by reducing threats. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average citizen does not reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of being murdered by wearing an electrified, mechanized armor suit, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby mitigating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability of his soft flesh and breakable neck. Instead, he relies on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 country's legal system and police force to deter, investigate, apprehend, prosecute, and incarcerate threats.
Finally, Amazon.com published my three star review of The Book of Pf by Peter N.M. Hansteen. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I was excited to see a new book on Pf on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market. Three years ago I read and reviewed Building Firewalls with OpenBSD and PF (BFWOAP) by Jacek Artymiak and gave it five stars. I hoped The Book of Pf (TBOP) would acknowledge cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best ideas in BFWOAP and expand into Pf developments of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last three years. TBOP is strong when it addresses how to install or use Pf on operating systems ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than OpenBSD. Elsewhere, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book is too weak to merit more than three stars.

Hopefully by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time you read this all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 links will be working and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reviews will be posted.

Best Book Bejtlich Read in 2007

Last year I posted my first year-end ranking of books I had read and reviewed in 2006, titled Favorite Books I Read and Reviewed in 2006. I decided to continue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tradition this year by posting my 2007 rankings, and awarding Best Book Bejtlich Read in 2007 (B3R07).

2007 was not my most productive year in terms of reading and reviewing books. I read 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005, and 52 in 2006. This year I read and reviewed 25 books, several during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last week. My ratings can be summarized as follows:

  • 5 stars: 9 books

  • 4 stars: 11 books

  • 3 stars: 4 books

  • 2 stars: 1 book

  • 1 star: 0 books


The competition for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 B3R07 award was intense. Keep in mind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are all five star books.

  • 9. Designing BSD Rootkits: An Introduction to Kernel Hacking by Joseph Kong (No Starch). If you understand C and want to learn how to manipulate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD kernel, Designing BSD Rootkits is for you.

  • 8. Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions by David Endler and Mark Collier (McGraw-Hill/Osborne). I like HE books because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good ones explain a technology from a security standpoint, how to exploit it, and how to defend it. I thought HE:V did well in all three areas, even featuring original research and experiments to document and validate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors' claims.

  • 7. Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith (Addison-Wesley). You must read this book if you care to measure security progress.

  • 6. Security Data Visualization: Graphical Techniques for Network Analysis by Greg Conti (No Starch). It's perfect for readers familiar with security who are looking to add new weapons to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir defensive arsenals.

  • 5. Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash (No Starch). As a FreeBSD user, Linux Firewalls is good enough to make me consider using Linux in certain circumstances!

  • 4. Absolute FreeBSD, 2nd Edition: The Complete Guide to FreeBSD by Michael W. Lucas (No Starch). When was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time you could physically feel yourself getting smarter while reading a book? If you are a beginning to average FreeBSD user, Absolute FreeBSD 2nd Ed (AF2E) will deliver that sensation in spades.

  • 3. Windows Forensic Analysis Including DVD Toolkit by Harlan Carvey (Syngress). WFA delivered just what I hoped to read in a book of its size and intended audience, and my expectations were high. If your job requires investigating compromised Windows hosts, you must read WFA.

  • 2. Network Warrior by Gary Donahue (O'Reilly). Gary Donahue has written a wonderful book that I highly recommend for anyone who administers, supports, or interacts with networks.


And, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 winner of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Best Book Bejtlich Read in 2007 award is... 1. Ajax Security by Billy Hoffman and Bryan Sullivan (Addison-Wesley). Ajax Security was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last book I read and reviewed in 2007. However, it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

If you'd like to read a very thorough and technically perceptive review of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, I recommend this post by Dre: Ajax Security opens up a whole new can of worms.

Let me conclude by saying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 competition for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top slot was very tight. I really loved all top five books, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom four were excellent too. There are even some good four star books, but a book must rate five stars in order to be considered here.

Congratulations to No Starch for placing 4 books in my five star list. Addison-Wesley was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 runner-up with 2 books, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publisher also produced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 B3R07 award winner.

Happy reading in 2008!

Thursday, December 27, 2007

Long Live Emerging Threats

If you haven't noticed, availability of Bleeding Threats has been lousy recently. If you read Matt Jonkman's recent post you'll notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arrival of Emerging Threats. I am currently getting my copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bleeding ruleset cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re; I am no longer using Bleeding Threats.

Friday, December 21, 2007

Snort Report 11 Posted

My 11th Snort Report on Snort Limitations has been posted. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Snort Report I mentioned a few things value-added resellers should keep in mind when deploying Snort:

1. Snort is not a "badness-ometer."
2. Snort is not "lightweight."
3. Snort is not just a "packet grepper."

In this edition of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort Report, I expand beyond those ideas, preparing you to use Snort by explaining how to think properly about its use. Instead of demonstrating technical capabilities, we'll consider what you can do with a network inspection and control system like Snort.


The editors titled this piece "Snort Limitations" -- I didn't.

Thursday, December 20, 2007

Predictions for 2008

For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last five years I've resisted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 urge to write year-end predictions (thanks Anton). However, I'm seeing indications of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following, so maybe this is more about highlighting trends than taking wild guesses.

Here are my five predictions for 2008.

  1. Expect greater government involvement in assessing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of private sector networks. I base this item on what's happening in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir latest data breach. The article Data watchdog seeks dawn-raid powers states cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

    The Information Commissioner’s Office (ICO), which polices cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nation’s data, is to be given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 power to raid Government departments suspected of breaching protection laws.

    The move, announced today by Gordon Brown, comes in response to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss by HM Revenue & Customs (HMRC) of personal details of some 25 million Britons. The Prime Minister said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ICO would be given extra powers to carry out “spot checks” of government departments.

    However, it is unclear whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new powers will extend to companies - something that Richard Thomas, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Information Commissioner, is pressing for.

    "Alarm bells must ring in every boardroom," Mr Thomas said today.

    He added: "For some time I have been pressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government to give my Office cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 power to audit and inspect organisations that process people’s personal information without first having to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir consent."

    Mr Thomas also repeated a call for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law to be "changed to make security breaches of this magnitude a criminal offence."
    (emphasis added)

    Security raids would be an amazing event. I think it would significantly alter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way security is managed by every major company.

  2. Expect greater military involvement in defending private sector networks. I base this item on reporting by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Baltimore Sun, no longer posted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir site but repeated elsewhere:

    In a major shift, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Security Agency (NSA) is drawing up plans for a new domestic assignment: helping protect government and private communications networks from cyberattacks and infiltration by terrorists and hackers, according to current and former intelligence officials.

    From electricity grids to subways to nuclear power plants, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States depends more than ever on Internet-based control systems that could be manipulated remotely in a terrorist attack, security specialists told The Baltimore Sun.

    The plan calls for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA to work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Department of Homeland Security (DHS) and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Cyber Initiative." Details of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project are highly classified.

    Director of National Intelligence Mike McConnell, a former NSA chief, is coordinating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initiative. It will be run by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHS, which has primary responsibility for protecting domestic infrastructure, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, current and former officials said.

    At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outset, up to 2,000 people -- from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Department, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r agencies -- could be assigned to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initiative, said a senior intelligence official who spoke to The Baltimore Sun on condition of anonymity.


    I know nothing about this outside of what I just posted, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story House panel chief demands details of cybersecurity plan discussing activities of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US House Committee on Homeland Security.

  3. Expect increased awareness of external threats and less emphasis on insider threats. Maybe this is just wishful thinking, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent attention on botnets, malware professionalization, organized criminal cyber enterprises, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like seems to be helping direct some attention away from inside threats. This may be premature for 2008, but I expect to see more coverage of outsiders again.

  4. Expect greater attention paid to incident response and network forensics, and less on prevention. This could also be wishful thinking, but I am seeing a lot of movement in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 commercial space involving effective incident response processes and tools. I've been speaking to several vendors while I build my IR and forensics lab for work and 2008 will see some very cool capabilities arrive, particularly in live response and remote forensic assessments. Several vendors will aggressively ship network forensic systems in 2008 with increased tie-ins to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r existing products, like SIMs, firewalls, IPS, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like.

  5. Expect talk of an "IPv6 gap," especially with respect to China. Leading up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Olympic Games in China in 2008, I am sure we will here a lot about IPv6. I mentioned this last year. Talk of an "IPv6 gap" will build upon a perceived "space gap" as China pursues its vision to put men on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moon by 2020. You will hear people say we need IPv6 because it is "inherently secure" or something similar. The China hacking stories of a few months ago embedded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT consciousness, and that will be a continuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me. I'm not sure if any of this will result in IPv6 being effectively deployed in 2008, 2009, or even 2010 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US.


A year from now I'll see how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se trends played out in 2008 and report back.

Two Book Reviews Posted

Amazon.com just published my five star review of Absolute FreeBSD, 2nd Ed by Michael Lucas. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Almost five years ago I reviewed Absolute BSD, Michael Lucas' first book on FreeBSD. I gave that book five stars, back when several ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r BSD books provided competition. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eve of 2008, I am happy to say that Michael Lucas is probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best system administration author I've read. I am amazed that he can communicate top-notch content with a sense of humor, while not offending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader or sounding stupid. When was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time you could physically feel yourself getting smarter while reading a book? If you are a beginning to average FreeBSD user, Absolute FreeBSD 2nd Ed (AF2E) will deliver that sensation in spades. Even more advanced users will find plenty to enjoy.

Amazon.com also just published my five star review of Linux Firewalls by Mike Rash. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Disclaimer: I wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreword for this book, so obviously I am biased. However, I am not financially compensated for this book's success.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreword I note that Linux Firewalls is a "great book." As a FreeBSD user, Linux Firewalls is good enough to make me consider using Linux in certain circumstances! Mike's book is exceptionally clear, organized, concise, and actionable. You should be able to read it and implement everything you find by following his examples. You will not only learn tools and techniques, but you will be able to appreciate Mike's keen defensive insights.


Are you seeing a trend here? In October I reviewed Security Data Visualization from No Starch and my Amazon.com Wish List has several ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r No Starch titles on it. Nice work No Starch!

Make Cleaning Awesome

Over three years ago I blogged about my Dyson vacuum cleaner. 99.9% of all of my posts are about digital security, but I know some of you are still looking for holiday presents for that certain someone. My wife bought me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new DC-16 for my birthday.

That's right, a vacuum for my birthday. Take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 picture of this thing and tell me it is not awesome. I dare you. Don't believe? Forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perpetually clogged, nasty "filter" on my old Dustbuster. The DC-16 has a canister that I empty. The DC-16 also has a trigger, not a power button. It looks even more weaponized when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crevice tool is attached instead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 combination accessory tool (pictured above).

Don't let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crybaby Amazon.com reviewers dismay you. Sure, it would be nice to be able to have a second battery pack for swappable charging. However, if you're draining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 battery regularly it's a sign you need to pull out your regular vacuum and not rely on a handheld. I've never drained cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 battery cleaning up after our kids.

I expect to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DC-16 appear in homemade sci-fi videos on YouTube any time now.

Wednesday, December 19, 2007

After Five Years, NSM Is Still More Than IDS

I've received a series of questions relating to Network Security Monitoring (NSM) recently, via email, blog comments, IRC questions, and so on. Just over five years ago (2 Dec 02) Bamm Visscher and I recorded a Webcast for SearchSecurity.com titled Network Security Monitoring Is More Than IDS. That URL links to a series of questions submitted in response to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 podcast.

I still have a copy of our slides, which I just exported to .pdf and uploaded as bejtlich_visscher_techtarget_webcast_4_dec_02.pdf. Remarkably, I would hardly change any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arguments we made back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n still hold today. The only real changes involve replacing one or two defunct Web sites.

Anyone who is trying to understand NSM will enjoy this presentation. Please post questions here, and I will eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments directly or save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for a follow-on blog post. Thank you.

Tuesday, December 18, 2007

Does Failure Sell?

I often find myself in situations trying to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of Network Security Monitoring (NSM). This very short fictional conversation explains what I mean. This exchange did not happen but I like to contemplate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sorts of dialogues.

NSM Advocate: I recommend deploying network-based sensors to collect data using NSM principles. I will work with our internal business units to select network gateways most likely to yield significant traffic. I will build cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensors using open source software on commodity hardware, recycled from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r projects if need be.

Manager: Why do we need this?

NSM Advocate: Do you believe all of your defensive measures are 100% effective?

Manager: No. (This indicates a smart manager. Answering Yes would result in a line of reasoning on why Prevention Eventually Fails.)

NSM Advocate: Do you want to know when your defensive measures fail?

Manager: Yes. (This also indicates a smart manager. Answering No would result in a line of reasoning on why ignorance is not bliss.)

NSM Advocate: NSM will tell us when we fail. NSM sensors are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest impact, least cost way to obtain network situational awareness. NSM methodologies can guide and validate preventative measures, transform detection into an actionable process, and enable rapid, low-cost response.

Manager: Why can't I buy this?

NSM Advocate: Some mainstream vendors are realizing a market exists for this sort of data, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are making some impact with new products. If we had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 budget I might propose acquiring a commercial solution. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment I recommend pursuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 do-it-yourself approach, with transition to a commercial solution if funding and product capabilities materialize.

Manager: Go forth and let your sensors multiply.


Now you know that it's fiction.

Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crux of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument is here: Do you believe all of your defensive measures are 100% effective? As a statement, one would say Because prevention eventually fails, you should have a means to identify intrusions and expedite remediation. A manager hearing that statement is likely to respond like this.

Manager: Do you mean to tell me that all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money I've spent on firewalls, intrusion prevention systems, anti-virus, network access control, etc., is wasted?

NSM Advocate: That money is not wasted. It's narrowed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem space, but it hasn't eliminated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem.

This is a tough argument to accept. When I worked at Foundstone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company sold a vulnerability management product. Foundstone would say "buy our product and you will be secure!" I worked for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident response team. We would say "...and when you still get owned, call us." Which aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business do you think made more money, got more attention, and received more company support? That's an easy question. How is a salesperson supposed to look a prospect in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eye and say "You're going to lose. What are you going to do about it?"

Many businesses are waking up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've spent millions of dollars on preventative measures and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y still lose. No one likes to be a loser. The fact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter is that winning cannot be defined as zero intrusions. Risk mitigation does not mean risk elimination. Winning has to be defined using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 words I used to explain risk in my first book:

Security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process of maintaining an acceptable level of perceived risk.

This definition does not eliminate intrusions from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise. It does leave an uncomfortable amount of interpretation for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "acceptable level" aspect. You may have noticed that most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 managers one might consider successful are usually self-described or outwardly praised as being risk-takers. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation we have security professionals, most of whom I would label as risk-avoiders.

The source escapes me now, but a recent security magazine article observed that those closest to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands-on aspects of security rated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir companies as being cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least secure. Assessments of company security improved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 farcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r one was removed from day-to-day operations, such that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO and above was much more positive about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's security outlook. The major factor in this equation is probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 separation between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corner office and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cubicle, but anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r could be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 acceptable level of risk for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parties involved. When a CIO or CEO is juggling market risk, credit risk, geo-political risk, legal risk, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r worries, digital risk is just anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r item in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 portfolio.

The difference between digital risk and many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r risk types is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences can be tough to identify. In fact, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more serious cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least likely you could be to discover cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion.

How is that possible? What causes more damage: a DDoS attack that everyone notices because "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network is slow," or a stealthy economic competitor whose entire reason in life is to avoid detection while stealing data?

Without evidence to answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question are you secure?, managers practice management and defense by belief instead of management and defense by fact.

Saturday, December 15, 2007

Feds Plan to Reduce, Then Monitor

According to OMB directs agencies to close off most Internet links, by June 2008 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal government plans to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of Internet connections it maintains, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m more closely:

The Office of Management and Budget's Trusted Internet Connections (TIC) initiative likely is to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last publicized program in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bush administration's stepped-up focus on cybersecurity, some experts say. More importantly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new initiative requires agencies to implement real-time gateway monitoring, which has been a deficit in federal network protection.

The TIC initiative mandates that officials develop plans for limiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of Internet connections into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir departments and agencies. OMB officials want to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of gateways from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more than 1,000 to about 50, said Karen Evans, OMB's administrator for e-government and information technology.
(emphasis added)

This sounds promising. The story continues:

The initiative also asks chief information officers to develop a plan of action and milestones for participating in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Homeland Security Department's U.S. Computer Emergency Readiness Team's Einstein initiative. The program offers agencies real-time gateway monitoring capabilities and helps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m react more quickly to security incidents. About 13 agencies voluntarily participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Einstein program.

"The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner," Evans said. "While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale."


Reduction of gateways + enhanced monitoring = better, stronger, faster -- and cheaper.

The story With Internet gateways, less is more adds:

A June deadline for agencies to consolidate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Internet connections coincides with anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r OMB deadline. June is also when agencies must upgrade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir backbone networks to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next-generation Internet protocol, IPv6...

“The [TIC] initiative is saying, ‘We have to know what we own in order to protect it,’ ” Evans said. “We also must know we are managing risk at an acceptable level.”

Evans said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federal government has more than 1,000 gateways to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public Internet.

The target number is 50, but that is not an absolute number, she said. “We know 1,000 or more is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way to do it. At a minimum, 50 is two per department.”

Fifty gateways is a reasonable number, Evans said, adding that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Department has reduced its Internet gateway count to 18. The Homeland Security Department expects to have only two Internet gateways after it completes its OneNet initiative.

“The 50 or so points of presence [would] become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perimeter of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federal government,” Evans said.
(emphasis added)

Kudos to Karen Evans. I am hopeful that someone who realizes FISMA Is a Joke has begun steering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal government away from worthless documentation and towards real network security operations.

Wednesday, December 12, 2007

Incident Severity Ratings

Much of digital security focuses on pre-compromise activities. Not as much attention is paid to what happens once your defenses fail. My friend Bamm brought this problem to my attention when he discussed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem of rating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 severity of an incident. He was having trouble explaining to his management cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of an intrusion, so he asked if I had given any thought to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue.

What follows is my attempt to apply a framework to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem. If anyone wants to point me to existing work, please feel free. This is not an attempt to put a flag in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground. We're trying to figure out how to talk about post-compromise activities in a world where scoring vulnerabilities receives far more attention.

This is a list of factors which influence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 severity of an incident. It is written mainly from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion standpoint. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, an unauthorized party is somehow interacting with your asset. I have ordered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 options under each category such that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top items in each sub-list is considered worst, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom is best. Since this is a work in progress I put question marks in many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sub-lists.

  1. Level of Control


    • Domain or network-wide SYSTEM/Administrator/root

    • Local SYSTEM/Administrator/root

    • Privileged user (but not SYSTEM/Administrator/root

    • User

    • None?


  2. Level of Interaction


    • Shell

    • API

    • Application commands

    • None?


  3. Nature of Contact


    • Persistent and continuous

    • On-demand

    • Re-exploitation required

    • Misconfiguration required

    • None?


  4. Reach of Victim


    • Entire enterprise

    • Specific zones

    • Local segment only

    • Host only


  5. Nature of Victim Data


    • Exceptionally grave damage if destroyed/altered/disclosed

    • Grave damage if destroyed/altered/disclosed

    • Some damage if destroyed/altered/disclosed

    • No damage if destroyed/altered/disclosed


  6. Degree of Friendly External Control of Victim


    • None; host has free Internet access inbound and outbound

    • Some external control of access

    • Comprehensive external control of access


  7. Host Vulnerability (for purposes of future re-exploitation


    • Numerous severe vulnerabilities

    • Moderate vulnerability

    • Little to no vulnerability


  8. Friendly Visibility of Victim


    • No monitoring of network traffic or host logs

    • Only network or host logging (not both)

    • Comprehensive network and host visibility


  9. Threat Assessment


    • Highly skilled and motivated, or structured threat

    • Moderately skilled and motivated, or semi-structured threat

    • Low skilled and motivated, or unstructured threat


  10. Business Impact (from continuity of operations plan)


    • High

    • Medium

    • Low


  11. Onsite Support


    • None

    • First level technical support present

    • Skilled operator onsite



Based on this framework, I would be most worried about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following -- stated very bluntly so you see all eleven categories: I worry about an incident where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder has SYSTEM control, with a shell, that is persistent, on a host that can reach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire enterprise, on a host with very valuable data, with unfettered Internet access, on a host with lots of serious holes, and I can't see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host's logs or traffic, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder is a foreign intel service, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host is a high biz impact system, and no one is on site to help me.

What do you think?

Saturday, December 01, 2007

Expert Commentary on SPAN and RSPAN Weaknesses

It's no secret I am a fan of using taps instead of switch SPAN ports when instrumenting networks. Two excellent posts explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weakness of using SPAN ports and RSPAN.

Both of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se were written by Tim O'Neill, an independent consultant.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation).

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, I really liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog post's emphasis on SPAN configuration as a change that must be allowed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 change control board in any semi-mature IT shop. The only CCB action needed for a tap is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial installation. Any change to a SPAN port configuration should be authorized by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CCB. This is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons why very mature (and well-funded) IT shops use matrix switches for on-demand visibility, as a mentioned last year in Notes on Net Optics Think Tank.