Mythic Monday – Bulgarian Scope Creep
- At February 08, 2010
- By Josh More
- In Mythology
- 0
There is a Bulgarian creation myth where in the beginning, the earth was just a tiny island. Cohabitating on this island were God and the Devil (guess they were more friendly then). One day, perhaps following an Oscar and Felixian roommate dispute, the Devil suggested that God take a nap, planning that whilst the almighty creator was slumbering, he could be tipped into the ocean. I guess that, in Bulgaria, one can be omnipotent and omniscient, and still somehow fail to gain their B.S.C and S.S.C..
Anyway, as the Devil attempted to push God off the island, the island magically expanded in each direction (it’s clear from this story that the Devil wasn’t omniscient), so that nary a toe got dampened. The shoreline simply grew in each direction and, by the time the Devil gave up, the island had expanded to the size of our current Earth. Which basically means that the state of the Earth today is due entirely to Devil-induced scope creep.
It explains a lot, doesn’t it?
Scope creep is a danger in all projects. It doesn’t matter whether you’re developing an application, enacting a security program or just shopping for groceries, scope creep can blow both your budget and deadline. It’s tempting when you’re working on something to just add a little piece here and there because it will make future work easier. Unfortunately for the business, integer math insists on summation, and so long as businesses are profit-focused, integer math is going to be important. From a security perspective, scope creep is additionally dangerous because it complicates things. Complicated things are harder to secure than simple things. The simpler you can keep a project, the better you can understand it, so the easier it is to secure.
Scope creep, of course, is most dangerous when shopping. A while back, I stopped by the store to pick up some basics (apples, bananas, yogurt, etc), and I noticed that winter squash was on sale… so my scope expanded a little bit and two squash wound up in my cart. Later, once I got home I realized that I had no idea what to do with them (other than the basic roast squash, which is boring). After consulting one of my cook books, I discovered that I needed a few more things. After another shopping trip that involved carrots, celery, onions, garlic and broth, I soon had two soups a simmering. Regrettably, the last step for each soup involved a blender, and the blender I had was incapable of dealing with the increased complexity of my soups. It quickly suffered what I must refer to as a catastrophic containment failure which necessitated another trip to the store to get a new blender.
All told, my initial scope creep of two impulse-bought squash cost me over a hundred dollars in ingredients and blender replacement, not to mention the ridiculous amount of time wasted in the endeavor. While I am thankful that I was able to find the blender-related security hole and believe that I have effectively mitigated the risk, life would have been much simpler had I not needed to.
I’m blaming the devil.
Advanced Persistent Threat (APT)
- At February 05, 2010
- By Josh More
- In Business Security
- 0
There has been a great deal of discussion in the security community about APT. The link covers it at a high level, but in a nutshell, it’s type of hacking that is distinguished by people who have the time and money to target specific individuals and organizations. Since the number of resources (time and money) available to the attackers are at a much larger scale than what the defenders can muster, a lot of people are calling this a game changer.
As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other “doesn’t get it”. For a quick read, check out Richard Bejtlich’s post and MANDIANT’s post and, for a counterpoint, check out Gunnar Peterson’s.
Of course, they’re both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere… mostly, I suspect, because in the enterprise security space you only call the consultants when it’s something particularly troublesome (like APT). Of course, once you’ve focused on APT, that’s what you get called in on, so the problem probably looks bigger than it is.
In contrast, those of use that don’t consult in those spaces don’t get those calls, so we don’t see it. We also probably don’t have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.
So what do you do about APT?
I suggest that you consider the following checklist:
- Do you have a firewall?
- Does your firewall block outgoing connections?
- Do you have local antimalware running on all your endpoints?
- Do you have a web filtering solution in place?
- Is all access to all systems monitored and audited regularly?
- Do you have a process in place to pull all legacy systems off your network?
- Do you have a patch management system in place?
- Do you have a vulnerability management process in place?
- Do you matc all system configurations against hardened templates?
- Do you have a data classification policy that applies to all your data?
- Are you encrypting your important data?
- Do you have a log retention and management infrastructure built?
- Are you running an IDS/IPS system?
- Do you have third party management systems in place?
- Are all of your web applications running in hardened stacks?
- Are you using web application firewalls?
- Are you using database firewalls?
- Do you have regular employee awareness training?
- Are complete penetration tests conducted against your organization?
- Do you have an Internet data monitoring and scrubbing policy in place?
If the answer to each question is “yes”, then you should worry about APT. This is not to say that if any of these are “no”, you don’t have APT going on in your environment. I’m saying that there’s no point pursuing a full on anti-APT strategy until you have the basics in place… and there are a lot of basics. I’m also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.
If you don’t have a minimal and sufficient security solution in place, it’s not that APT isn’t a threat or that an unknown enemy isn’t out to get you… it’s that you probably have more important things to be working on.
Bias Thursday – Déformation professionnelle
- At February 04, 2010
- By Josh More
- In Psychology
- 0
While I am not a psychologist, a good understanding of psychological issues is an important part of a full security practice. These themed posts are likely to be incomplete, as I am just exploring some ideas and how they might apply to security.
Déformation professionnelle (which Google translates as “professional distortion”) is the tendency to consider situations from the perspective of your profession. The classic example is the joke “when all you have is a hammer, every problem looks like a nail”. What I’ve noticed, though, is that “profession” seems to apply to business divisions now. We’re all getting extremely specialized, and that seems to create what we can call “a failure to communicate”.
Take, for example, the concept of risk. In the security field, risk is bad and the steps that can be taken to avoid risk seem reasonable. However, in the business field, risk is viewed in terms of the potential gains that the risk can provide whereas the steps to avoid risk seem likely to cause problems and will therefore impact the bottom line. Similarly, admins and developers are likely to resist the perceived difficulties in implementing the mitigation strategies.
Again, there are both offensive and defensive capabilities to this bias. Offensively, simply knowing a target’s profession can give you a good chance at predicting their responses. If you have a planned proposal, you can practice it against others in the same profession and tweak it before you present it to the people that matter. You can be aware of the context in which they will likely view your ideas and work on expanding their context before you get to the hard stuff.
Defensively, like most biases, you just have to be aware that you will likely view things within the context of your profession. Thus, if you are having conversations with those outside of your profession, there is a higher likelihood of misunderstanding. If you find yourself reacting negatively to something someone else says, you should check and see if maybe that reaction is because you are coming at things from different contexts.
As an note to this particular bias, I have occasionally been asked why I blog the way I do. Other than the fact that the Internet doesn’t need yet another voice in the Security echo chamber, I find that forcing myself to consider issues from different contexts (mythological, natural, psychological, etc) allows me to understand the issues at a deeper level. I don’t know if it gives me any advantage over the usual advantages that one gains by taking time to think things through and write them up… but it doesn’t seem to be hurting.
Security Sprint – Firefox Profiles
- At February 03, 2010
- By Josh More
- In Sprint
- 4
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
If you use Firefox as your primary browser, there’s a feature that you’re probably not taking proper advantage of. Firefox stores your personal data in a profile. This includes your bookmarks, passwords, cookies and add ons. The advantage here is that you can tune your Firefox configuration to what you’re doing… and somewhat segment your data.
For example, I have my normal browsing profile which includes a bare minimum number of add ons Adblock Plus, LongURL Mobile Expander, Web of Trust, BetterPrivacy, Cookie Safe and NoScript. Then, if I am conducting offensive security work, I use a profile that is loaded with some attack tools like SQL Inject Me and XSS Me. Similarly, when I’m doing web development or troubleshooting, I have a separate profile that loads Web Developer and Live HTTP Headers. This approach keeps my normal use fairly light and allows me to load the extensions that I need when I need them.
In theory, it also keeps my passwords and cookies a bit safer than usual. It’s not as secure as using a completely separate user account or even computer for doing dangerous activities, but it’s better than not doing anything at all.
To do build your own profiles, go here and launch the Profile Manager. Then, when you start Firefox, you will get dialog asking you which profile you wish to run. From there, it’s just a matter of picking which mode you wish to work in and selecting the appropriate profile before you start.
Security Lessons from Nature – Happy Groundhog Day
- At February 02, 2010
- By Josh More
- In Natural History
- 0
Happy groundhog day. In honor of this special day, you get a picture and a scatter-shot of groundhog facts:
- The groundhog is also known as a whistle-pig, due to its tendency to make a whistling noise when predators are near. Much as monitoring systems will send SMS or email messages when an attack occurs.
- Groundhogs have two layers of fur, both a soft undercoat and a guard hairs. This is a classic defense in depth strategy, against both cold and damp threats.
- Groundhogs mostly eat plants won’t pass up the occasional delicious grub or bug. This allows them to supplement their dietary needs without having to track down the rare vegetative high-protein source like nuts or beans, which are needed in small quantities at various points in their lives. This is much like an organization hiring a 1099 resource as needed.
- They are one of the few creatures that truly hibernate and are generally utterly non-responsive for four to five months… which has no direct correlation to business, but there are days when I wish it did.
- They have a wide range of predators, including owls, dogs, bears, bobcats and coyotes. Younger ones are vulnerable to snakes and hawks. Much as a security program is constantly evolving and loses vulnerability to some threats but not others, the successful groundhogs grow large enough to be immune to the snakes and hawks.
- When predators strike, groundhogs will escape them by running to emergency burrows (hot site) or up a tree (cold site).
- Groundhogs are mostly solitary but also live in small communal burrows. This allows them to share the alerting responsibilities and leverage one another’s expertise… in much the same way that small teams can work most effectively in a small conference room where they can collaborate.
- The groundhog is in the Sciuridae family along with the squirrels (and a fragment of their genetic code can be found here (as part of the SequenceJuxtaposer project (which has nothing to do with security, but is still pretty neat))).
Image in the Creative Commons and is courtesy of ~Sage~ on Flickr.