Review – Security Power Tools

Security Power Tools is one of those monstrous tomes that people buy and almost no one ever actually reads. It sits on the shelf and mocks you with the knowledge that it contains while simultaneously scaring you with the commitment it would take to actually read it. It’s 822 pages of dense techno babble.

It took me about three weeks to get through it.

In general, it contains the same information that is in SANS 504, but not quite as complete. It is, however, much cheaper than the course.

In the course, you get six days with a top-notch penetration tester and walk through all of the commonly-used tools in a standardized environment. You get lots of practice and a interactive sessions with security practitioners of various levels. In my opinion, it is the best way to learn.

However, it’s not something that everyone can do, either for reasons of budget or time. Failing that, Security Power Tools is a good alternative. It digs into scanning, reconnaissance, penetration techniques and tools, backdoors, rootkits, firewalls, encryption, service tuning, monitoring, forensics, fuzzing and reverse engineering. It’s a fairly complete book.

It is important, though, to read the book correctly. If you want to learn, really learn, how these things work, you have to approach it as self study, not just a reference guide. Before you pick it up, look at your life and decide how much time each week you can devote to the process. Reserve that time in your schedule. As you read the book, consider each section independently and think about how you might use the tool in a real world scenario. Then, build such an environment (use virtualization if it helps). Read the section again and run the tool within the environment.

That way, you actually learn how things work instead of just having a surface-level understanding.

Small Business Defense – Anti-Malware (yes, again)

Microsoft recently released their Security Essentials product. This is a free anti-malware product, and analysts seem to think that it does a pretty good job at what it does.

However, I want to point out one thing that you probably already know: You get what you pay for.

Security Essentials is intended to be a lightweight anti-malware solution that competes against other free AV solutions. It does a decent job at protecting against the average threat and is certainly better than using nothing at all. However, it is a mistake to compare it to a professional anti-malware system. As SANS says, “Think of this as the AV as it used to be in 2000 or so.”

In short, if you are a home user and don’t care enough about your system to spent $50 a year to protect it, go ahead and use Security Essentials. However, if you are in a business environment, you need something that includes firewall, behavioral detection, network access control, data loss prevention and central management (and more). Security Essentials won’t cut it.

Lastly, if you do decide that you want to try it out, be sure you download the right thing. There are search engine optimization attempts going on to make malicious software (fake antivirus) appear on the search results instead of the link you really want. The right link is http://www.microsoft.com/security_essentials/.

Small Business Attack – Malware (yes, again)

I’ve posted about the current run of banking malware before. For a quick review, this is malware that sits on your computer and waits for you to access your online banking site. Once you’re logged in, it watches what you do and then surreptitiously transfers money out of your account to the attacker. I’m posting about it again because of the new wrinkle:

It will now alter what your browser shows to you, so that you don’t see the unauthorized transfers.

Essentially, the malware knows what you expect to see and shows you that, while it is simultaneously lurking under the radar of banks and avoiding their anti-fraud systems. For those that want more details, read this, this, this and this.

For everyone else, try the following:

1) Check your banking statements very carefully. Most home users have at least 30 days to challenge a transfer, but business users only get 2.

2) Work with your bank to implement a call-back mechanism so that you can approve transfers.

3) See if you can use a dedicated system for only doing banking. Leave it unplugged and turned off unless you’re using it or patching it.

4) Keep all of your other systems patched and run a decent anti-malware system.

Security Lessons from Nature – Long Worm

There is a story that we hear as kids about worms.  We’re told that you can cut worms into as many pieces as you like and they’ll each grow into a new worm.  As cool as that sounds, it’s a lie… mostly.

Regular earthworms don’t regenerate, so you can set aside your plans to buy worms on the Internet, cut them up, and sell them at a profit. However, after generations of scientists spent their lives gleefully chopping up worms and recording the results, we know of a few families of worms that do manage to more of less regenerate.

The key seems to be the segments. When you make a cut, the number of segments connected to one another determine the worm’s ability to regenerate. Certain worms can, in fact, grow from both ends and go on to live fairly normal lives… at least, as far as worms go.

This can be applied to business systems as well, though we call the segments different things at different levels. At a programming level, we work with modules and services. A good design would use lose coupling and connect the segments in such a way that some of them could fail and the system would still function. At a system/network level, you can build highly available systems out of nodes and connect them with either a cluster or virtualization system. Again, the goal would be that if any nodes fail, the system itself would survive.

What’s interesting is that the same model works at the business as well. One of the techniques discussed at last month’s BIZ presentation for business acquisition, was to build your business such that you can spin portions off. Business incubators often work the same way.

The thing we often forget about security is that it’s not just about keeping the wrong people out and allowing the right people in. It’s about survival. The reason we care so much about access and is that one of the easiest ways to ensure survivability is to prevent bad people from getting in. However, if the ultimate goal is to survive, you also have to consider ways to thrive in changing environments. Security should be intrinsically tied into the business in the same way that the segments tie into the worm.

The segments do more than just allow the worm to survive should it be dissevered in the name of scientific discovery. They give the worm flexibility and help contain organs. In fact, the longest worms in the world are segmented.

Makes you think, doesn’t it?

Mythic Monday – The Camel Seen For The First Time

Another Aesop fable is The Camel Seen For the First Time. You can read it here, here or here… but since it’s short, I’ll paraphrase it here. (While the actual text is public domain, the translations are, for the most part, not.)

When humans first say the camel, they found it frightening. It was huge, scary and humpy, so everyone fled. However, as time went by, people discovered that the camel was gentle. As they grew more familiar with it, they began to hold it in contempt and eventually allowed their children to lead it.

The intent of the fable is to basically show that familiarity breeds contempt. It is both a message that one should not fear things unnecessarily, and that one should not become so familiar with something that fear goes away entirely.

I think that this applies to technology as well. We often hear about new technology and how it can be paradigm-changing. However, when we first attempt to deploy such technology we are often baffled and confused. New technology can be incredibly complex and difficult to understand. It can take days of trial and error to figure it out, much less determine how to best fit the technology into your existing infrastructure.

Of course, once you’ve managed to get the technology working, it seems old hat and it is often baffling when new employees don’t pick it up right away. As time goes by, though, they learn the technology and eventually take over.

The lesson here, of course, is to learn from other camel trainers. If you just believe those that have gone before you, you can avoid the whole fear response and jump ahead to figuring out how to train the camel. Then you can get the technology quickly deployed and get on to learning about future species.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.