Thursday, June 08, 2006

Tracking Exploits

I received a link to this press release today. Unlike many press releases, this one contained interesting news. It reported that a new security company called Exploit Prevention Labs (XPL) just released cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir first Exploit Prevalence Survey™, which ranks five client-side exploits used to compromise Web surfers. This seems similar to US-CERT Current Activity, although that report jumbles togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r many different news items and doesn't name specific exploits. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press release

The results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monthly Exploit Prevalence Survey are derived from automated reports by users of Exploit Prevention Labs’ SocketShield anti-exploit software (free trial download at http://www.explabs.com), who have agreed to have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir SocketShield installations report all suspected exploit attempts back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 researchers at Exploit Prevention Labs.

This reminds me of Microsoft's Strider HoneyMonkey project, which uses bots to crawl cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web looking for malicious sites. XPL insteads relies on real users visiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same sites.

In any case, I look forward to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next report from XPL and I hope cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y apply some sort of rigor to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir analysis. I wonder if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sites cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y visit ever end up in one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 popular blacklists? Also, where do you download exploits as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are released, now that FrSIRT VNS costs money?

Answering Penetration Testing Questions


Some of you have written regarding my post on penetration testing. One of you sent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following questions, which I thought I should answer here. Please note that penetration testing is not currently a TaoSecurity service offering, so I'm not trying to be controversial in order to attract business.

  • What do you feel is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most efficient way to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of a pen test that is appropriate for a given enterprise? Prior to hiring any pen testers, an enterprise should conduct an asset assessment to identify, classify, and prioritize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir information resources. The NSA-IAM includes this process. I would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n task cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pen testers with gaining access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most sensitive information, as determined by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset assessment. Per my previous goal (Time for a pen testing team of [low/high] skill with [internal/external] access to obtain unauthorized [unstealthy/stealthy] access to a specified asset using [public/custom] tools and [complete/zero] target knowledge.) one must decide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r variables before hiring a pen testing team.

  • What do you feel is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most efficient way to determine which pen tester(s) to use? First, you must trust cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team. You must have confidence (and legal assurances) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules you set for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, properly handle sensitive information cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y collect, and not use information cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y collect for non-professional purposes. Second, you must select a team that can meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 objectives you set. They should have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge and tools necessary to mirror cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat you expect to face. I will write more on this later. Third, I would rely on referrals and check all references a team provides.

  • Do you feel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is any significant value in having multiple third parties perform a pen test? This issue reminds me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules requiring changing of financial auditors on a periodic basis. I believe it is a good idea to conduct annual pen tests, with one team in year one and a second team in year two. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least you can have two experiences from which to draw upon when deciding who should return for year three.

  • Have you had any significant positive/negative experiences with specific pen testers? I once monitored a client who hired a "pen tester" to assess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client's network. One weekend while monitoring this client, I saw someone using a cable modem run Nmap against my client. The next Monday my client wanted to know why I hadn't reported seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "pen test". I told my client I didn't consider a Nmap scan to be a "pen test". I soon learned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client had paid something like $5000 for that scan. Buyer beware!

  • Do you have any additional recommendations as to how to choose a pen tester? Just today I came across what looks like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry's "first objective technical grading system for hackers and penetration testers" -- at least according to SensePost. This is really exciting, I think. They describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Combat Grading system this way: Participants are tasked to capture cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flag in a series of exercises carefully designed to test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 depth and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breadth of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir skill in various diverse aspects of computer hacking. Around 15 exercises are completed over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of two days, after which each participant is awarded a grade reflecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir scores and relative skill levels in each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas tested. Each exercise is completely technical in nature. This sounds very promising.

  • Do you have any literature that you can recommend in regard to pen
    testing?
    I have a few books nearby, namely Penetration Testing and Network Defense (not read yet) and Hack I.T. (liked it, but 4 years old). The main Hacking Exposed series discusses vulnerability assessment, which gets you halfway through a pen test.


If I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time and money I would consider attending SensePost training, which looks very well organized and stratified. They are being offered at Black Hat Training, which as usual seems very expensive. Good, but expensive.

Tuesday, June 06, 2006

Notes from Techno Security 2006

Today I spoke at three Techno Security 2006 events. I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day discussing enterprise network instrumentation basic and advanced topics. I ended cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day on a panel discussion with Russ Rogers, Marcus Ranum, and Johnny Long, moderated by Ron Gula. My wife and daughter and I also shared lunch with Kevin Mandia and Julie Darmstadt, both of whom I worked with at Foundstone.

This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's panel discussion.

Yesterday Marcus noted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry is just like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 diet industry. People who want to lose weight know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should eat less, eat good food, and exercise regularly. Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y constantly seek cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest dieting fad, pill, plan, or program -- and wonder why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want!

Marcus spent some time discussing money spent on security. He says we are "spending rocket science dollars but getting faith healer results." He quoted a March 2005 document by Peter Kuper (.pdf) analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security vendor scene. Kuper claims that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 700 companies estimated to exist in 2005 will compete for $16 billion in revenues in 2008. That's an average of $22,857,143 per company -- not enough to sustain most players. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three "big boys" -- Symantec, Cisco, and McAfee -- are removed, that leaves only $11.5 billion for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remaining 697 companies, or only $16,499,283 per company; that's even worse. Kuper and Marcus believe all security companies are going to end up being owned by Symantec, Cisco, McAfee, or Microsoft, or will go out of business.

Finally, I've been following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurityMetrics.org mailing list thread caused by Donn Parker's article and my blog posts. I've discussed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation both in this blog and in my books, so you may wonder why I even mention it if I feel that measuring risk is basically worthless? The answer is simple. The risk equation is like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OSI model. In practical applications, both are worthless. No one runs OSI protocols, but everyone talks about "layer 3," "layer 4," and so on. So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms are helpful, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation fails.

(By implementation, I mean no one runs OSI protocols like CLNP. IS-IS might be an exception, although exceptionally rare.) [Note to self: prepare for deluge of posts saying "We run IS-IS!", even though I've never seen it.]

Sunday, June 04, 2006

Follow-Up to Donn Parker Story

My earlier post is being debated on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private Security Metrics mailing list. I posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following tonight:


Chris Walsh wrote:

> Alrighty.
>
> It's time for a Marines vs. Air Force slapdown!

I should have anticipated that someone on this list would read my blog!

I do not agree with all of Donn's points, and I state in my post some
of his ideas are weak. I would prefer Donn defend himself in person.

However, I am going to stand by this statement:

"As security professionals I agree we are trying to reduce risk, but
trying to measure it is a waste of time."

I agree with Donn that a risk measurement approach has not made us
more secure. That does not mean nothing can be measured. It also
does not mean that measurements are worthless.

Removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 double negatives, I am saying that some things can be
measured, and measurements can be worthwhile.

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than spending resources measuring risk, I would prefer to see
measurements like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

1. Time for a pen testing team of [low/high] skill with
[external/internal] access to obtain unauthorized access to a
specified asset using [public/custom] tools and [zero/complete] target
knowledge.

Note this measurement contains variables affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to
successfully compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset.

2. Time for a target's intrusion detection team to identify said
intruder (pen tester), and escalate incident details to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident
response team.

3. Time for a target's incident response team to contain and remove
said intruder, and reconstitute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset.

These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operational sorts of problems that matter in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real
world. These are only three small ideas -- not a comprehensive
approach to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem set.

Sincerely,

Richard

PS: Go Air Force. :)

Nessus 3.0.3 on FreeBSD

Several times last year I talked about using Nessus on FreeBSD. Last night I finally got a chance to install and try Nessus 3.0.3 on FreeBSD. Here's how I did it.

First I downloaded Nessus 3.0.3 as a package for FreeBSD 6.x (called Nessus-3.0.3-fbsd6.tbz). I added cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 package:

orr:/root# pkg_add -v Nessus-3.0.3-fbsd6.tbz
Requested space: 16570324 bytes, free space: 4394956800 bytes in /var/tmp/instmp.YdVsPF
Running pre-install for Nessus-3.0.3..
extract: Package name is Nessus-3.0.3
extract: CWD to /usr/local
extract: /usr/local/nessus/lib/nessus/plugins/synscan.nes
extract: /usr/local/nessus/lib/nessus/plugins/12planet_chat_server_path_disclosure.nasl
...edited...
extract: /usr/local/nessus/bin/nasl
extract: /usr/local/nessus/bin/nessus
extract: /usr/local/nessus/bin/nessus-fetch
extract: /usr/local/nessus/bin/nessus-bug-report-generator
extract: /usr/local/nessus/bin/nessus-mkcert-client
extract: /usr/local/nessus/bin/nessus-mkrand
extract: /usr/local/nessus/sbin/nessus-add-first-user
extract: /usr/local/nessus/sbin/nessus-check-signature
extract: /usr/local/nessus/sbin/nessus-adduser
extract: /usr/local/nessus/sbin/nessus-chpasswd
extract: /usr/local/nessus/sbin/nessus-rmuser
extract: /usr/local/nessus/sbin/nessus-mkcert
extract: /usr/local/nessus/sbin/nessus-update-plugins
extract: /usr/local/nessus/sbin/nessusd
extract: /usr/local/nessus/var/nessus/nessus-services
extract: /usr/local/nessus/var/nessus/nessus_org.pem
extract: /usr/local/etc/rc.d/nessusd.sh
extract: CWD to .
Running mtree for Nessus-3.0.3..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Running post-install for Nessus-3.0.3..
Running post-install for Nessus-3.0.3..
nessusd (Nessus) 3.0.3. for FreeBSD
(C) 1998 - 2006 Tenable Network Security, Inc.

Processing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nessus plugins...
[##################################################]

All plugins loaded

- Please run /usr/local/nessus/sbin/nessus-add-first-user to add an admin user
- Register your Nessus scanner at http://www.nessus.org/register/ to obtain
all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest plugins
- You can start nessusd by typing /usr/local/etc/rc.d/nessusd.sh start
Attempting to record package into /var/db/pkg/Nessus-3.0.3..
Package Nessus-3.0.3 registered in /var/db/pkg/Nessus-3.0.3

Next I added a user:

orr:/root# /usr/local/nessus/sbin/nessus-add-first-user
Using /var/tmp as a temporary file holder

Add a new nessusd user
----------------------


Login : bejnessus
Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
----------
nessusd has a rules system which allows you to restrict cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hosts
that bejnessus has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right to test. For instance, you may want
him to be able to scan his own host only.

Please see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nessus-adduser(8) man page for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules syntax

Enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules for this user, and hit ctrl-D once you are done :
(cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user can have an empty rules set)

Login : bejnessus
Password : ***********
DN :
Rules :

Is that ok ? (y/n) [y] y
user added.
Thank you. You can now start Nessus by typing :
/usr/local/nessus/sbin/nessusd -D

Next I registered using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code emailed to me:

orr:/root# /usr/local/nessus/bin/nessus-fetch --register codegoeshere
Your activation code has been registered properly - thank you.
Now fetching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plugins by itself.

Finally I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nessus daemon.

orr:/root# /usr/local/etc/rc.d/nessusd.sh start
Nessus
orr:/root# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root nessusd 13116 4 tcp4 *:1241 *:*
root sendmail 434 4 tcp4 127.0.0.1:25 *:*
root sshd 428 4 tcp4 *:22 *:*
root syslogd 312 6 udp4 *:514 *:*

When I finished I removed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 executable bit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nessusd.sh script so it would not execute on boot. This is because I don't need it on boot, especially since it takes over a minute to load all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plugins.

orr:/root# chmod -x /usr/local/etc/rc.d/nessusd.sh

To start nessusd when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 execute bit is not set, I do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

orr:/root# sh /usr/local/etc/rc.d/nessusd.sh start
Nessus

Note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default /usr/local/nessus/etc/nessus/nessusd.conf contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

# Automatic plugins updates - if enabled and Nessus is registered, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
# fetch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest plugins from plugins.nessus.org automatically
auto_update = yes
# Number of hours to wait between two updates
auto_update_delay = 24

I changed this to say

auto_update = no

because I prefer to update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plugins manually.

orr:/root# /usr/local/nessus/sbin/nessus-update-plugins

Nessus now provides a separate GUI client called NessusClient. I tried to install it this way:

orr:/usr/local/src# tar -xzvf NessusClient-1.0.0.RC5.tar.gz
x NessusClient-1.0.0.RC5/
x NessusClient-1.0.0.RC5/.root-dir
...edited...
x NessusClient-1.0.0.RC5/TODO
x NessusClient-1.0.0.RC5/VERSION
orr:/usr/local/src# cd NessusClient-1.0.0.RC5
orr:/usr/local/src/NessusClient-1.0.0.RC5# ./configure
creating cache ./config.cache
checking host system type... i386-unknown-freebsd6.0
...edited...
creating doc/NessusClient.1
creating include/config.h
orr:/root/NessusClient-1.0.0.RC5# make
...edited...
prefs_scope_tree.o(.text+0x434): In function `scopetree_rename':
prefs_dialog/prefs_scope_tree.c:179: undefined reference to `prefs_context_update'
prefs_scope_tree.o(.text+0x9c6): In function `scopetree_delete':
prefs_dialog/prefs_scope_tree.c:376: undefined reference to `prefs_context_update'
prefs_scope_tree.o(.text+0xab6):prefs_dialog/prefs_scope_tree.c:415: undefined reference to
`prefs_context_update'
prefs_scope_tree.o(.text+0xc65):prefs_dialog/prefs_scope_tree.c:500: more undefined references to
`prefs_context_update' follow
*** Error code 1

Stop in /usr/local/src/NessusClient-1.0.0.RC5/nessus.
*** Error code 1

Stop in /usr/local/src/NessusClient-1.0.0.RC5.

Rats. Luckily I found this post which suggested a fix using Gmake. After starting with a fresh extraction of NessusClient-1.0.0.RC5, I ran ./configure, gmake, and gmake install. Everything worked.

/usr/bin/install -c -m 755 /root/NessusClient-1.0.0.RC5/bin/NessusClient /usr/local/bin
test -d /usr/local/bin || /usr/bin/install -c -d -m 755 /usr/local/bin
/usr/bin/install -c -m 755 nessusclient-mkcert /usr/local/bin
/usr/bin/install -c -m 755 ssl/nessus-mkrand /usr/local/bin
installing man pages ...
/usr/bin/install -c -c -m 0444 doc/NessusClient.1 /usr/local/man/man1/NessusClient.1
/usr/bin/install -c -c -m 0444 doc/nessusclient-mkcert.1
/usr/local/man/man1/nessusclient-mkcert.1
/usr/bin/install -c -c -m 0444 doc/nessus-mkrand.1 /usr/local/man/man1/nessus-mkrand.1

I could now start cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client:

orr:/home/richard$ NessusClient



I selected File -> Scan Assistant to create a "demo" Task, with "demo" scope, and "localhost" as target.

I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n was prompted for my username and password to connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nessusd server.



Once connected, Nessus began scanning localhost.



When done I had a report.



These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basics of running Nessus 3.0.3 with NessusClient on FreeBSD. I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defaults for everything to get my results. An alternative would be to use Nessus 2.2.8, which is in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree.

For more information, consider attending Nessus Training by Tenable Network Security.

Friday, June 02, 2006

Excellent Articles in Newest NWC

I wanted to briefly mention three great articles in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest Network Computing magazine:

All three are free and fairly informative. I hear a lot of buzz about leasing hardware and software. Are you turning to leasing instead of buying? If so, what are you leasing, and why?

Risk-Based Security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Emperor's New Clocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365s

Donn Parker published an excellent article in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest issue of The ISSA Journal titled Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Case for Replacing Risk-Based Security. This article carried a curious disclaimer I had not seen in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r articles:

This article contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opinions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author, which are not necessarily cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opinions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISSA or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISSA Journal.

I knew immediately I needed to read this article. It starts with a wonderful observation:

What are we doing wrong? Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lack of support for adequate security linked to our risk-based approach to security? Why can't we make a successful case to management to increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 support for information security to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 needs? Part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer is that management deals with risk every day, and it is too easy for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to accept security risk racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than reducing it by increasing security that is inconvenient and interferes with business.

I would argue that management decides to "accept security risk" because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y cannot envisage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences of security incidents. I've written about this before.

However, Donn Parker's core argument is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

CISOs have tried to justify spending resources on security by claiming that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can manage and reduce security risks by assessing, reporting, and controlling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. They try to measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefits of information security "scientifically" based on risk reduction. This doesn't work... I propose that intangible risk management and risk-based security must be replaced with practical, doable security management with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new objectives of due diligence, compliance consistency, and enablement.

I agree. Here is a perfect example of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem:

One CISO told me [Parker] that he performs risk assessment backwards. He says that he already knows what he needs to do for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next five years to develop adequate security. So he creates some risk numbers that support his contention. Then he works backwards to create types of loss incidents, frequencies, and impacts that produce those numbers. He cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n refines cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input and output to make it all seem plausible. I suggested that his efforts are unethical since his input data and calculations are all fake. He was offended and said that I didn't understand. The numbers are understood by top management to be a convenient way to express cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO's expert opinion of security needs.

This is my question: what makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se shenanigans possible? Remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation (Risk = Threat X Vulnerability X Asset Value) and consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se assertions:

  • Hardly anyone can assess threats.

  • Few can identify vulnerabilities comprehensively.

  • Some can measure asset value.


As a result, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is an incredible amount of "play" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variables of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation. Therefore, you can make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results anything you want -- just as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example CISO shows.

It is tough enough to assign values to threats and vulnerabilities, even if time froze. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, threats are constantly evolving and growing in number, while new vulnerabilities appear in both old and new software and assets on a daily basis. A network that looked like it held a low risk of compromise on Monday could be completely prone to disaster on Tuesday when a major new vulnerability is found in a core application.

Parker's alternative includes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

Due diligence: We can show management cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of our threat and vulnerability analysis (using examples and scenarios) by giving examples of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existence of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ulnerabilities and solutions that ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs have employed (not including estimated intangible probabilities and impacts). Then we can show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m easily researched benchmark comparisons of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security relative to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r well-run enterprises and especially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir competitors under similar circumstances. We cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m what would have to be done to adopt good practices and safeguards to assure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 range of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r enterprises.

Bottom line: be as good as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next guy.

Compliance: We are finding that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growing body of security compliance legislation such as SOX, GLBA, and HIPAA and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 associated personal and corporate liability of managers is rapidly becoming a strong and dominant security motivation...(The current legislation is poorly written and has a sledgehammer effect as written by unknowing legislative assistants but will probably improve with experience, as has computer crime legislation.)

Bottom line: compliance has turned out to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major incentive I've seen for security initiatives. I am getting incident response consulting work because clients do not want to go to jail for failing to disclose breaches.

Enablement: It is easily shown in products and services planning that security is required for obvious and competitive purposes and from case studies, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Microsoft experience of being forced by market and government pressures to build security into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact.

Bottom line: this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weakest argument of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three, and maybe why it is last. Microsoft may be feeling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heat, but it took five years and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation is still rough. Oracle is now under fire, but how long will it take for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to take security seriously? And so on.

I think Donn Parker is making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right point here. He is saying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Emperor has no clocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365s and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legions of security firms providing "risk assessments" are not happy. Of course cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're not -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can deliver a product that has bearing on reality and receive money for it! That's consequence-free consulting. Try doing that in an incident response scenario where failure to do your job means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder remains embedded in a client's infrastructure.

As security professionals I agree we are trying to reduce risk, but trying to measure it is a waste of time. I am sad to think organizations spend hundreds of thousands of dollars on pricey risk assessments and hardly any money on real inspection of network traffic for signs of intrusions. The sorts of measurements I recommend are performance-based, as I learned in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military. We determine how good we are by drilling and exercising capabilities, preferably against a simulated enemy. We don't write formulas guestimating our defense posture.

This is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last I have to say on this issue, but I hope to be boarding a flight soon. I commend The ISSA Journal for publishing an article that undermines a pillar of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir approach to security. I bet (ISC)2 will also love Donn's approach. :)