Category Archives: Basic Lessons

Security is mostly a superstition. It does not exist in nature…. Life is either a daring adventure or nothing.

~ Helen Keller (1880 – 1968), The Open Door (1957)

TrueCrypt and NSA Lessons on Updating Projector Software

Science and R&D says it will keep moving data from the mystery to the usable.

Security expertise tries to promise the same, with the same infinite number of possible failures. Fortunately there are life lessons that we can apply to our projection room and attached networked devices from the latest exposition of these failures.

From the NAB videos of John Hurst’s logical pleas (posted at CineTechGeek) to Bruce Schneier’s Disclosing vs. Hoarding Vulnerabilities article to the flurry of Heartbleed to the news of the well-used TrueCrypt’s announcement…we should get the message: No matter the trauma, or threat of trauma, Upgrade Your Software and Firmware.

TrueCrypt and NSA Lessons on Updating Projector Software

Science and R&D says it will keep moving data from the mystery to the usable.

Security expertise tries to promise the same, with the same infinite number of possible failures. Fortunately there are life lessons that we can apply to our projection room and attached networked devices from the latest exposition of these failures.

From the NAB videos of John Hurst’s logical pleas (posted at CineTechGeek) to Bruce Schneier’s Disclosing vs. Hoarding Vulnerabilities article to the flurry of Heartbleed to the news of the well-used TrueCrypt’s announcement…we should get the message: No matter the trauma, or threat of trauma, Upgrade Your Software and Firmware.

Breach Mitigation or Bust?

Even large corporates can fall foul of the weakest link scenario, with the hacker following a likely looking ‘suit’ home and cracking the most likely default Wi-Fi router encryption. From here it’s a relatively simple journey to the machine they have attached to the corporate VPN.

From an ITPro article: Data security: is breach mitigation all that’s left? by Davd Winder (30 July 2012)

If you accept the premise that it’s inevitable your enterprise network will be attacked, and most likely breached, then is mitigation really where the IT security focus should be?

“All organisations are susceptible to being breached and anything contrary to that fact is false,” claims Marcus Carey, a security researcher at Rapid7. “

It is impossible to eliminate all risk when it comes to network security.” IT security is all about minimising the risk level through the use of defence in-depth strategies and incident response plans: detect and destroy is the motto of the day.So is it right to suggest, as I have done in the introduction to this piece, that a network breach is all but inevitable? Perhaps unsurprisingly opinion is divided on this one. Wade Baker, director of risk intelligence at Verizon, reckons that taking such a view is “unhelpful at best” and points out that “97 per cent of the attacks analysed in the 2012 Verizon Data Breach Investigation Report were avoidable, without the need for organisations to resort to difficult or expensive countermeasures.”

He does, however, admit that the security industry has long been guilty of placing the emphasis on prevention and not enough into detection and response. “Risk mitigation implies companies assume an almost passive role, checking no alarms have been tripped and watching who is trying to climb over the walls,” Baker insists, concluding “I would suggest that we need agile security teams that can take a proactive role and not only monitor external attacks, but also gain visibility of what is going on inside the network to check no one has sneaked past defences.”

Darien Kindlund, senior staff scientist at security specialist FireEye, is succinct in his disagreement. “In fact, it’s better to assume your organisation has already been compromised and develop defences based around that assumption,” he told IT Pro. “You will be less surprised and better prepared, accordingly”.

Or, as Arun Sood from SCIT Labs puts it: “The current cyber security approaches rely on prior knowledge of the vulnerabilities and the threats. However, the current approaches are in-adequate. Ensuring reliable and accurate knowledge of the vulnerabilities and the attacker, is impossible – there are far too many threads to track at any one time. Attempts at increasing probability of detection leads to rapid increase in false positives and thus security operations costs. Thus we believe that intrusions are inevitable. Mitigation strategies are required for limiting the losses”.

Dead duck security?

 But if the mitigation argument holds up, where does that leave attack prevention? Is it really pointless to try and prevent a breach, and should resources therefore be focused on containment instead? Filippo Cassini, vice president of International Systems Engineering at Fortinet, certainly doesn’t hold with the ‘pointless’ argument, suggesting that leaving prevention out of the equation “would be like taking away seat belts from a car because we have airbags.”

Or as Kevin Dowd, CEO at CNS says “surviving an advanced and sustained attack would be difficult for many businesses, but that doesn’t mean they should give up.” Indeed, he believes they should have counter measures in place that make an attack too challenging in terms of the resources needed. “This is where most businesses could do better,” Dowd insists. “Often, SMEs think that they are too small or not visible enough to be a target.“

Consequently, detective capabilities are often weak, the Verizon 2012 Data Breach Investigations Report found that 92 per cent of incidents were discovered by a third party, and businesses end up developing their security strategy under duress.

Mitigating post-hack is more difficult and expensive. “We estimate that every pound spent up front on security measures is worth ten pounds after a breach, when businesses can be faced with high emergency response rates and consultants on site for longer than would have previously have been necessary,” Dowd adds.

Much of this can be mitigated into oblivion by getting rid of the sensitive data in the first place – by out sourcing payments so as to avoid holding card data, for example – and improving the governance structure.

In conclusion

It’s all very well talking about mitigation in terms of containment and analysis, but this whole argument surely stands or falls on whether the breach itself is detected in a timely fashion. I would argue that, in far too many instances, detection doesn’t happen until weeks after the breach event itself and sometimes those weeks can run into months.

Verizon’s Baker told me that amongst the more advanced attacks he has investigated, such as those which target intellectual property, which are difficult to spot “many take a year or more to pinpoint, and we suspect that many more are simply never discovered by the victim.

“I’m not suggesting that breach mitigation is a red herring, and it’s certainly no dead duck either, but for mitigation strategy to work successfully it has to be coupled with effective real-time breach detection technology to prevent data loss.

“To be successful in attack mitigation you need to firstly, understand what’s happening and then target your resources appropriately to contain and eradicate the threat,” says Don Smith, director of technology at Dell SecureWorks, who warns that learning from your mistakes is a vital link in the chain and one that reactive mitigation alone is unlikely to forge.”

If your focus is always on reacting to successful breaches you are going to be the easiest target and will be breached a lot,” Smith says. “You need to focus on prevention, monitoring and how you successfully respond to a breach, not spend all your time looking at the past.”

Breach Mitigation or Bust?

Even large corporates can fall foul of the weakest link scenario, with the hacker following a likely looking ‘suit’ home and cracking the most likely default Wi-Fi router encryption. From here it’s a relatively simple journey to the machine they have attached to the corporate VPN.

From an ITPro article: Data security: is breach mitigation all that’s left? by Davd Winder (30 July 2012)

If you accept the premise that it’s inevitable your enterprise network will be attacked, and most likely breached, then is mitigation really where the IT security focus should be?

“All organisations are susceptible to being breached and anything contrary to that fact is false,” claims Marcus Carey, a security researcher at Rapid7. “

It is impossible to eliminate all risk when it comes to network security.” IT security is all about minimising the risk level through the use of defence in-depth strategies and incident response plans: detect and destroy is the motto of the day.So is it right to suggest, as I have done in the introduction to this piece, that a network breach is all but inevitable? Perhaps unsurprisingly opinion is divided on this one. Wade Baker, director of risk intelligence at Verizon, reckons that taking such a view is “unhelpful at best” and points out that “97 per cent of the attacks analysed in the 2012 Verizon Data Breach Investigation Report were avoidable, without the need for organisations to resort to difficult or expensive countermeasures.”

He does, however, admit that the security industry has long been guilty of placing the emphasis on prevention and not enough into detection and response. “Risk mitigation implies companies assume an almost passive role, checking no alarms have been tripped and watching who is trying to climb over the walls,” Baker insists, concluding “I would suggest that we need agile security teams that can take a proactive role and not only monitor external attacks, but also gain visibility of what is going on inside the network to check no one has sneaked past defences.”

Darien Kindlund, senior staff scientist at security specialist FireEye, is succinct in his disagreement. “In fact, it’s better to assume your organisation has already been compromised and develop defences based around that assumption,” he told IT Pro. “You will be less surprised and better prepared, accordingly”.

Or, as Arun Sood from SCIT Labs puts it: “The current cyber security approaches rely on prior knowledge of the vulnerabilities and the threats. However, the current approaches are in-adequate. Ensuring reliable and accurate knowledge of the vulnerabilities and the attacker, is impossible – there are far too many threads to track at any one time. Attempts at increasing probability of detection leads to rapid increase in false positives and thus security operations costs. Thus we believe that intrusions are inevitable. Mitigation strategies are required for limiting the losses”.

Dead duck security?

 But if the mitigation argument holds up, where does that leave attack prevention? Is it really pointless to try and prevent a breach, and should resources therefore be focused on containment instead? Filippo Cassini, vice president of International Systems Engineering at Fortinet, certainly doesn’t hold with the ‘pointless’ argument, suggesting that leaving prevention out of the equation “would be like taking away seat belts from a car because we have airbags.”

Or as Kevin Dowd, CEO at CNS says “surviving an advanced and sustained attack would be difficult for many businesses, but that doesn’t mean they should give up.” Indeed, he believes they should have counter measures in place that make an attack too challenging in terms of the resources needed. “This is where most businesses could do better,” Dowd insists. “Often, SMEs think that they are too small or not visible enough to be a target.“

Consequently, detective capabilities are often weak, the Verizon 2012 Data Breach Investigations Report found that 92 per cent of incidents were discovered by a third party, and businesses end up developing their security strategy under duress.

Mitigating post-hack is more difficult and expensive. “We estimate that every pound spent up front on security measures is worth ten pounds after a breach, when businesses can be faced with high emergency response rates and consultants on site for longer than would have previously have been necessary,” Dowd adds.

Much of this can be mitigated into oblivion by getting rid of the sensitive data in the first place – by out sourcing payments so as to avoid holding card data, for example – and improving the governance structure.

In conclusion

It’s all very well talking about mitigation in terms of containment and analysis, but this whole argument surely stands or falls on whether the breach itself is detected in a timely fashion. I would argue that, in far too many instances, detection doesn’t happen until weeks after the breach event itself and sometimes those weeks can run into months.

Verizon’s Baker told me that amongst the more advanced attacks he has investigated, such as those which target intellectual property, which are difficult to spot “many take a year or more to pinpoint, and we suspect that many more are simply never discovered by the victim.

“I’m not suggesting that breach mitigation is a red herring, and it’s certainly no dead duck either, but for mitigation strategy to work successfully it has to be coupled with effective real-time breach detection technology to prevent data loss.

“To be successful in attack mitigation you need to firstly, understand what’s happening and then target your resources appropriately to contain and eradicate the threat,” says Don Smith, director of technology at Dell SecureWorks, who warns that learning from your mistakes is a vital link in the chain and one that reactive mitigation alone is unlikely to forge.”

If your focus is always on reacting to successful breaches you are going to be the easiest target and will be breached a lot,” Smith says. “You need to focus on prevention, monitoring and how you successfully respond to a breach, not spend all your time looking at the past.”

The Basics and a Tool for Creative Commons

A nice article giving the basics of the Creative Commons License from Katherine Noyes in PC World: How to Protect Your Artistic Works With a Creative Commons License | PCWorld Business Center

Followed by another of her articles that refer to a tool that helps decide which license to choose for your situation: Need to Choose a Creative Commons License? This New Tool Can Help | PCWorld Business Center

The Basics and a Tool for Creative Commons

A nice article giving the basics of the Creative Commons License from Katherine Noyes in PC World: How to Protect Your Artistic Works With a Creative Commons License | PCWorld Business Center

Followed by another of her articles that refer to a tool that helps decide which license to choose for your situation: Need to Choose a Creative Commons License? This New Tool Can Help | PCWorld Business Center

How To Break Into Security-Part One

Kreb's How To Break Into SecurityKrebs on Security has started a series named How To Break Into Security.

I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject.

 


How to Break Into Security, Ptacek Edition — Krebs on Security

Now might be a good time to give the job of reading these to your apprentice.

 

How To Break Into Security-Part One

Kreb's How To Break Into SecurityKrebs on Security has started a series named How To Break Into Security.

I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject.

 


How to Break Into Security, Ptacek Edition — Krebs on Security

Now might be a good time to give the job of reading these to your apprentice.

 

Password Ideas…There Will Be No Sympathy

There are some who say to pick a song: I Got To Get You Out of My Life become IGTGYOOML, then add number and lower case letters over time.

 

Good luck. Whatever you do, do it soon.

GRC’s | Password Haystacks: How Well Hidden is Your Needle?

xkcd: Password Strength

Memorable PassPhrase

GRC’s | Password Haystacks: How Well Hidden is Your Needle?

What are mnemonics? | Learn Language Vocabulary with Mnemonics @ Memorista.com

 

 

Password Ideas…There Will Be No Sympathy

There are some who say to pick a song: I Got To Get You Out of My Life become IGTGYOOML, then add number and lower case letters over time.

 

Good luck. Whatever you do, do it soon.

GRC’s | Password Haystacks: How Well Hidden is Your Needle?

xkcd: Password Strength

Memorable PassPhrase

GRC’s | Password Haystacks: How Well Hidden is Your Needle?

What are mnemonics? | Learn Language Vocabulary with Mnemonics @ Memorista.com

 

 

Wireshark 101 Webinar Offline–A First

Explaining nuance to those who are merely tangential to the field of that nuance always gets close to explaining magic. At CinemaCon, the marketing gurus (or teams) who win the excellence awards fortunately won’t explain what it is they did to achieve the year’s or lifetime prize. (Spoiler: Teamwork and happy clients.) Likewise, the technology award show that the Academy of Motion Pictures Arts and Sciences held the week before the more famous event doesn’t become a course in the latest de-Beyerization technology. (Teamwork and excited photons. See: Albert Einstein: Why Light is Quantum)

For those who with a ‘tween events craving for awards, the DCinemaTools Security Section would like to give the “Explaining  to non-technical people what the interwebz looks like while it is working” Award to the Wireshark University founder and chief explainer Laura Chappell. [This may take a re-working of what non-technical really means.] And in a great quirk of fate, since we encouraged everyone to sign up for the 101 Course webinar last month (but really…how many people did it?) …the usually online only course is suddenly available for offline viewing…even downloading!

Here is what the email says:

Yes – I have good and bad news about the Wireshark 101 webinar you were scheduled for tomorrow. I have a conflict on my schedule and will need to cancel the webinar. (That’s the bad news.)

The good news is that at 3:00am this morning I uploaded the newly-recorded webinar (as so many people have requested). The Wireshark 101 class is now available for online or offline viewing! (Seriously – download the FLV files if you want!)

View/Download Location: www.lcuportal2.com (click Free Wireshark Class on left) – or click the direct link here.

There are four sections in the class:

Part 1 [14:17]: Wireshark Internals and Placement (drivers, capture on switched networks, capture at the client first)

Part 2 [10:54]: Creating Profiles and Using Capture Filters (customization, capture filtering, capture to file sets, ring buffer)

Part 3 [14:17]: Display Filters and Coloring Rules (fast display filter techniques, color-coding lousy traffic patterns)

Part 4 [15:00]: Expert, Charts and Graphs (launching the Expert, interpreting IO/RTT/Time-Sequence graphs)

I know folks have asked for this for a loooooong time. The conflict on the schedule pushed me to get this done!

If you have questions after watching the course, email those questions to Joy DeManty ([email protected]) – I’ll be adding a “Most Commonly Asked Questions” video to the set!

I’m not sure why you are reading further. Get those instructional videos for yourself and your friends. Don’t waste time around here. And bookmark the ChappellU site so that you can grab those Most Commonly Asked Questions when they are released.

Wireshark 101 Webinar Offline–A First

Explaining nuance to those who are merely tangential to the field of that nuance always gets close to explaining magic. At CinemaCon, the marketing gurus (or teams) who win the excellence awards fortunately won’t explain what it is they did to achieve the year’s or lifetime prize. (Spoiler: Teamwork and happy clients.) Likewise, the technology award show that the Academy of Motion Pictures Arts and Sciences held the week before the more famous event doesn’t become a course in the latest de-Beyerization technology. (Teamwork and excited photons. See: Albert Einstein: Why Light is Quantum)

For those who with a ‘tween events craving for awards, the DCinemaTools Security Section would like to give the “Explaining  to non-technical people what the interwebz looks like while it is working” Award to the Wireshark University founder and chief explainer Laura Chappell. [This may take a re-working of what non-technical really means.] And in a great quirk of fate, since we encouraged everyone to sign up for the 101 Course webinar last month (but really…how many people did it?) …the usually online only course is suddenly available for offline viewing…even downloading!

Here is what the email says:

Yes – I have good and bad news about the Wireshark 101 webinar you were scheduled for tomorrow. I have a conflict on my schedule and will need to cancel the webinar. (That’s the bad news.)

The good news is that at 3:00am this morning I uploaded the newly-recorded webinar (as so many people have requested). The Wireshark 101 class is now available for online or offline viewing! (Seriously – download the FLV files if you want!)

View/Download Location: www.lcuportal2.com (click Free Wireshark Class on left) – or click the direct link here.

There are four sections in the class:

Part 1 [14:17]: Wireshark Internals and Placement (drivers, capture on switched networks, capture at the client first)

Part 2 [10:54]: Creating Profiles and Using Capture Filters (customization, capture filtering, capture to file sets, ring buffer)

Part 3 [14:17]: Display Filters and Coloring Rules (fast display filter techniques, color-coding lousy traffic patterns)

Part 4 [15:00]: Expert, Charts and Graphs (launching the Expert, interpreting IO/RTT/Time-Sequence graphs)

I know folks have asked for this for a loooooong time. The conflict on the schedule pushed me to get this done!

If you have questions after watching the course, email those questions to Joy DeManty ([email protected]) – I’ll be adding a “Most Commonly Asked Questions” video to the set!

I’m not sure why you are reading further. Get those instructional videos for yourself and your friends. Don’t waste time around here. And bookmark the ChappellU site so that you can grab those Most Commonly Asked Questions when they are released.

Wireshark 101 Webinar Offline–A First

Explaining nuance to those who are merely tangential to the field of that nuance always gets close to explaining magic. At CinemaCon, the marketing gurus (or teams) who win the excellence awards fortunately won’t explain what it is they did to achieve the year’s or lifetime prize. (Spoiler: Teamwork and happy clients.) Likewise, the technology award show that the Academy of Motion Pictures Arts and Sciences held the week before the more famous event doesn’t become a course in the latest de-Beyerization technology. (Teamwork and excited photons. See: Albert Einstein: Why Light is Quantum)

For those who with a ‘tween events craving for awards, the DCinemaTools Security Section would like to give the “Explaining  to non-technical people what the interwebz looks like while it is working” Award to the Wireshark University founder and chief explainer Laura Chappell. [This may take a re-working of what non-technical really means.] And in a great quirk of fate, since we encouraged everyone to sign up for the 101 Course webinar last month (but really…how many people did it?) …the usually online only course is suddenly available for offline viewing…even downloading!

Here is what the email says:

Yes – I have good and bad news about the Wireshark 101 webinar you were scheduled for tomorrow. I have a conflict on my schedule and will need to cancel the webinar. (That’s the bad news.)

The good news is that at 3:00am this morning I uploaded the newly-recorded webinar (as so many people have requested). The Wireshark 101 class is now available for online or offline viewing! (Seriously – download the FLV files if you want!)

View/Download Location: www.lcuportal2.com (click Free Wireshark Class on left) – or click the direct link here.

There are four sections in the class:

Part 1 [14:17]: Wireshark Internals and Placement (drivers, capture on switched networks, capture at the client first)

Part 2 [10:54]: Creating Profiles and Using Capture Filters (customization, capture filtering, capture to file sets, ring buffer)

Part 3 [14:17]: Display Filters and Coloring Rules (fast display filter techniques, color-coding lousy traffic patterns)

Part 4 [15:00]: Expert, Charts and Graphs (launching the Expert, interpreting IO/RTT/Time-Sequence graphs)

I know folks have asked for this for a loooooong time. The conflict on the schedule pushed me to get this done!

If you have questions after watching the course, email those questions to Joy DeManty ([email protected]) – I’ll be adding a “Most Commonly Asked Questions” video to the set!

I’m not sure why you are reading further. Get those instructional videos for yourself and your friends. Don’t waste time around here. And bookmark the ChappellU site so that you can grab those Most Commonly Asked Questions when they are released.