Saturday, September 06, 2008

Request for Feedback on Deny by Default

A friend of mine is working on digital defense strategies at work. He is interested in your commentary and any relevant experiences you can share. He is moving from a "deny bad, allow everything else" policy to an "allow good, deny everything else" policy.

By policy I mean a general approach to most if not all defensive strategies. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network, define which machines should communicate, and deny everything else. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host, define what applications should run, and deny everything else. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser, define what sites can be visited, and deny everything else. That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 central concept, although expansions are welcome.

My friend would like to know if anyone in industry is already following this strategy, and to what degree. If you can name your organization all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better (even if privately to me, or to him once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate introductions are made). Thank you.

Bejtlich Keynote at SANS Forensics Summit

Rob Lee was kind enough to ask me to deliver cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keynote on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second day of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS WhatWorks in Incident Response and Forensic Solutions Summit. The two-day event takes place 13-14 October 2008 at Caesars Palace in Las Vegas, NV. The conference agenda looks great, with training classes available before and after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 summit. The tuition fee is $1,595 if paid by 10 Sep or $1,845 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reafter. I am very much looking forward to attending this event.

Rob also pointed out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new SANS Computer Forensics and E-discovery Community and SANS Forensics Blog.

Friday, September 05, 2008

Microsoft Network Monitor 3.2 Beta for Tracking Traffic Origination

I'm always looking for a tool to map cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic to or from a host with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process receiving or sending it. Today I noticed that Microsoft Network Monitor offers a beta that appears to have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 functionality, according to this Netmon blog post. I visited cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Netmon site on Microsoft Connect (registration required) to download beta 3.2. I ran two live capture tests to see what Netmon 3.2 beta would report.



As you can see in this first screen capture, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of traffic is considered "unknown." I tried using ping.exe in a cmd.exe terminal. I tried using ftp.exe in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same cmd.exe terminal. I used Firefox to watch a YouTube video, and I used Microsoft Media Player to view some video. It seemed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more time an activity occupied, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more likely Netmon would associate it with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right process. For example, downloading a FreeBSD .iso through Firefox appeared associated with Firefox, but visiting most Web sites did not.



I tried a second session where I updated Adobe Acrobat Reader, launched Skype, and a few ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r actions. Again cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vast majority of traffic is "unknown," although I could tell much of it was caused by launching Skype.

Does anyone else use this program and get different results? Incidentally I took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se actions as Administrator to ensure I didn't run into any permissions problems, but it doesn't seem to have made a difference here.

Do you have a program to map traffic to generating processes, live?

Tuesday, September 02, 2008

Schneier Agrees: Security ROI is "Mostly Bunk"

I know a lot more people pay attention to Bruce Schneier than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do to me, so I was thrilled to read his story on Security ROI (also in CSO Magazine):

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir particular security solution provides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best return on investment.

It's a good idea in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory, but it's mostly bunk in practice.

Before I get into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's one point I have to make. "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.

But as anyone who has lived through a company's vicious end-of-year budget-slashing exercises knows, when you're trying to make your numbers, cutting costs is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as increasing revenues. So while security can't produce ROI, loss prevention most certainly affects a company's bottom line.


I am really honored to see Bruce's blog post link to three of my previous posts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject too.

Enterprise Users Should Not Be Records Managers

I found J. Timothy Sprehe's FCW article Seeking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 records decider interesting. The whole article is worth reading, and it's short, but I'll post some excerpts to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point across:

Like everyone else — including NARA — GAO assumes and accepts that employees will decide whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r e-mail messages are federal records. It is fundamentally wrong to lodge decision-making for records management at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop PC level. It means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agency has as many records managers as it has e-mail users — a patent absurdity.

Managing e-mail at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop level is failing everywhere...

Records management works best when it happens in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 background in a way that is transparent to employees...

Conventional wisdom says cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology for making e-mail management decisions at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software or server level is not yet mature. In my judgment, that mindset demonstrates a lack of imagination and an unwillingness to tackle old questions in new ways...

The Air Force is moving even furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation of its enterprise information management strategy. Using proven commercial products, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force is investing heavily in automated metadata extraction for all information objects, including e-mail messages, and populating an enterprisewide metadata registry. Air Force officials believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can construct a rules engine that will use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detailed metadata to automate records management decisions, including retention and disposition schedules. Desktop PC users will see none of that.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r beauty of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force strategy is that it holds cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 promise of supplying an enterprisewide solution for e-discovery, which involves providing electronic documents for evidence in legal cases...

Agencies will never train cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir senior officials — let alone every rank-and-file user — to make well-informed decisions about e-mail records management. Why not accept that fact and experiment with new approaches that really work?


I agree with that sentiment. What's better, an automated system whose rules can be explained, tested, and agreed upon, or a policy that relies on interpretation and implementation by users?

This article reinforces one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great recent security insights of our time, by Nitesh Dhanjani:

The job of information security is to make it harder for people to do wrong things.

Automatic background patch installation, automatic background backups and archiving, and related unobtrusive yet effective measures are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way forward. Users neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r care nor are equipped to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y really shouldn't have to worry about being security experts.

Can anyone comment on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force's approach?

Monday, September 01, 2008

Standards for System Administration

My favorite article from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 August ;login: magazine is online: "Standard Deviations" of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Average System Administrator (.pdf) by Alva Couch. I'd like to highlight some excerpts:

System administrators have a surprising amount in common with electricians. Both professions require intensive training. Both professions are plagued by amateurs who believe (erroneously) that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can do a good job as a professional. Both professions are based upon a shared body of knowledge.

But electricians can call upon several resources that system administrators lack. Electricians have a legally mandated mentorship/apprenticeship program for training novices. They have a well-defined and generally-accepted profession of job grades, from apprentice to journeyman to master. They advance in grade partly through legally mandated apprenticeship and partly through legally mandated certifications. These certifications test for knowledge of a set of standards for practice—again, mandated by law. The regulations are almost universally accepted as essential to assuring quality workmanship, function, and safety.

In short, one electrician can leave a job and anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r can take over with minimal trouble and without any communications between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two, and one can be sure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work will be completed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way and to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same standard. Can any two system administrators, working for different employers, be interchanged in such a fashion?

At present, system administrators are at a critical juncture. We have functioned largely as individuals and individualists, and we greatly value our independence. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 choices we make as individuals affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 profession as a whole. I think it is time for each of us to act for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 profession, and perhaps to sacrifice some of that independence for what promises to be a greater good. This will be a difficult sacrifice for some, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefits may be intangible and long-term racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than immediate. But I think it is time now for us to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules.

From standards for distributions (e.g., cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux Standard Base) to standards for procedures (e.g., those upon which Microsoft Certified Engineers are tested), I believe that — although standards may annoy us as individuals — standards for our profession (and certification to those standards) help build respect for system administration as a profession. Compliance with standards gives us a new and objective way to measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of management at a site. Standards not only make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 task easier but also enforce desirable qualities of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work environment and help to justify appropriate practices to management. Adoption of standards also has a profound effect upon our ability to certify system administrators and even changes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
meaning and form of such a certification.

Is a system administrator accorded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same respect as an electrician? I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer is an emphatic “no,” at least for those electricians who hold a master’s license. There are two factors that engender respect for a master electrician: legally mandated standards linked closely to legally mandated apprenticeship and certification.


I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole article is worth reading, but those are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key points. Now, I'm sure many of us have electrician horror stories. I know someone (not me) who was unlicensed and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore had to hire an electrician to wire an addition to his house. The "electrician" did such a poor job that this person cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n rewired everything to code himself racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 electrician again. I don't think that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 norm, but I wonder if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is any research that might support Dr. Couch's statement that one electrician can leave a job and anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r can take over with minimal trouble and without any communications between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two, and one can be sure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work will be completed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way and to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same standard?

Still, I guarantee that most every system administrator handles boxes differently. Even within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same company, I find systems horrendously maintained. I once assumed control of a set of "Linux appliances" built and operated by a managed security service provider. They were all built for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same purposes, but ran a variety of Linux kernels with different applications, versions, and configurations. These were all operated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same small MSSP!

Perhaps one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst examples of our lack of standardization involves network diagrams. Sites like Rate My Network Diagram will make you laugh and cry. I usually cry because I took four years of architecture training in high school. We did most everything by hand (it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 1980s), to include learning how to write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various "architectural fonts" we were expected to use. (We did start learning how to operate AutoCAD on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Applie IIGS just before graduation!) The point, however, was all of our diagrams looked similar, if not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. This standardization allows one architect to review and build using anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r's plans without wondering what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various lines and icons mean.

Incidentally, I know about Cisco's icons. I'm talking about a standard way to use such icons, not standardized icons cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves. That's only one step.

Don't get me started on standard terminology... Yes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 image on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 left depicts my feelings about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 maturity of our industry. It's still early days, so I hope we decide to professionalize during my working lifetime.

NetworkMiner

Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great Toolsmith article by Russ McRee, I decided to try Eric Hjelmvik's NetworkMiner, a Windows-based network forensic tool.

You might think that Wireshark is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only tool you need for network forensics, but I maintain that Wireshark (while a great tool) is best used for packet-by-packet analysis. 95% of network forensics investigations are mostly concerned with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application layer data passed during a transaction, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial sequence number sent in a SYN segment.

I intend to keep an eye on NetworkMiner because it's free and very easy to use. It would be great to see functionality in NetworkMiner merged into Wireshark. For example, I don't see any reason to implement feature requests for parsing any protocol that Wireshark already supports (which is basically every protocol that matters). NetworkMiner should focus on content extraction and perhaps leverage Wireshark where it can.