An Information Security Place

I discovered Jeff Snyder’s Security Recruiter blog the other day via Rothman’s blog, and I read his latest post about what a banking client was looking for in a security candidate.  Seems like they want someone with “Risk Management” experience and “a deep understanding of Regulatory Compliance issues.”  Makes sense.  But wait!  There is a caveat!

My client wants a candidate who has worked with regulations that have “Teeth”. In other words, while HIPAA is most definitely a body of regulatory compliance mandates, the argument was that to date, nobody on the call could think of a person who had gone to jail over a HIPAA issue. However, make a crucial privacy mistake in a bank or financial services organization and somebody is in serious trouble and could end up in jail.

So basically, they would not want me because most of my compliance experience lies in HIPAA.  At first, that got my hackles up because I feel like I am as good as anyone working on SOX compliance.  But then I thought better of that feeling.  Because even though I feel like I did a pretty good job at getting my previous employeer compliant, I also know that the more I worked there, the less pressure I felt to get it done because the news stories kept coming down about problems, but no one was getting in trouble!

So, like the title of this post, I understand where Mr. Snyder’s client is coming from.  If you ain’t felt the pressure, then you might not have done the best you could.  They need someone who can work with that Sword of Damocles hanging over their head.

In general, Jeff Snyder’s blog is an interesting read.  There is some good insight into what firms are looking for in a security professional.  I suggest taking a look.

Vet

Vet

My sales guy and I have a small little office in one of those business suite companies (actually, the company is called Businessuites) where there are several small companies on a single floor that has a single receptionist, etc.  Anyway, we have a firewall / VPN device, a switch, a WAP, and a little NAS in our office, and they had all been on the floor near a corner with cables hanging everywhere.  So I finally broke down and went to Target (pronounced Tar - jay, of course) to find a little table or something to put all the equipment on.  Well, I found a nice little entertainment center thingie that has two glass doors that open outward.  So I put all the stuff in there, got it all cleaned up, took a moment to be a little proud of my work, and then sat back at my desk.

Then, as I was working, I looked over at the little piece of furniture, and I noticed the blinking lights of the firewall and the switch, and it hit me that blinking lights behind glass are just plain cool, even on this small of a scale.  Now I know most of you have been awed by a cool datacenter with wiring racks and switches and routers and whatever else sitting behind a big pane of glass.  I know I have seen some really spectacular ones in my time.  But it still struck me that a pane of glass is really what it takes.  And for the life of me, I don’t know why…

Vet

LoverVamp has taken issue with Andy’s post about user education being the key to security.  LV says:

I’m not sure I would say that user education is key and that without it we may as well put up open wifi. I think user education is very important, but it won’t solve IT security any more than education has solved drug use, teen pregnancy, or STDs.

While LV is going after Andy for a comment that was really tongue-in-cheek, I thought his analogy about drug use and sex education was appropriate.  So as some are doing is sex education, I propose that we move towards abstinence in IT security education.  If we just take everyone’s computer away, we have no more IT security problems!  Instead of wearing the digital condoms created by firewalls, IDS /IPS, NAC, etc., we just rip the friggin’ plugs out of the wall and be done with it!  That would really reduce everyone’s stress factor.

Vet

Let’s talk about manufacturer’s for a bit.  This may seem a bit jaded, but manufacturers are often viewed the same way as politicians.  They make promises that their technology can do such-and-such, but in the end, they really don’t do much different that the next technology that is trying to do the same thing.  It would be different if that manufacturer’s technology was the only one that could do what they do, and those pop up every now and again.  But in reality, when you look at these companies, you really find that there are at least three or four other companies that do the same thing. 

Not to pick on Alan, but let’s talk about NAC.  There are so many companies jumping on the NAC bandwagon, it is almost impossible to tell which one fits your environment the best.  And since so many of these companies are doing the same thing the same way, the differentiation is often not worth the time to find.  Those vendors are going to do everything they can to make you see what makes them different and better than the other guy, but it really comes down to your environment.

When you look at it from the perspective of your environment, there is no “best” NAC vendor, or firewall vendor, or IPS vendor, or whatever.  Yes, you can grade them.  You can come up with an IPS that has fewer false positives and has gigabit capability.  But if that IPS doesn’t fit in your network for some reason, then it is not the best.  Maybe another IPS with lower scores in the trade rag fits your network because of some quirk in your environment.  That makes it better than the other IPS, plain and simple, because the IPS with the higher grade did not possess some feature that your environment called for.

And I mean no offense to my other manufacturer friends out there, but all of this often makes me wonder just how honest vendors really are.  Do they really think their technology is the best?  Do they think they fit in any environment?  It seems like it because they try to sell it to everyone.  Don’t get me wrong.  I understand trying to make money.  But how can they push their product where it really doesn’t belong just to make a buck?  It can’t possibly be the best fit for everyone.  Cisco tries, and they often succeed at getting everywhere, but that doesn’t mean they actually fit in all cases (probably not in most).

From a personal perspective, I have experience interviewing for jobs with vendors.  In one interview, one of the questions they asked me was what would I do if I went to a customer where I thought we weren’t the right fit.  I told them point blank that I would tell the customer that we didn’t fit.  I thought their jaws were going to hit the floor.  I knew when I said it that it was not the “right” answer, but it was the honest answer.  And no, I didn’t get the job.  Whether it was because of that answer or not, I really don’t know.

Anyway, I don’t think EVERY manufacturer is made up of a bunch of crooks, but I often see them sell their product where it doesn’t fit and then move on to the next sell without looking back.  This is why so many people have the jaded view that I have.  Of course, being a realist, is there any success in being totally honest in selling situations where you don’t fit?  Are they simply going with the model that works?  I guess that may be the case.  But I think it would just make me feel dirty.

Vet

Since I started working at Accuvant, I have been leery of blogging about products that we sell.  Since we are not a manufacturer, I don’t feel like I have to worry as much about becoming a corporate whore, but I want to make sure I stay somewhat above the fray so I don’t look like I am an Accuvant mouthpiece.

All that being said, if I like a product a lot, I will pimp it here.  And I have come across just such a product.  I am speaking of Nitrosecurity’s NitroView product.  This is a network+security information management product that really kicks some major buttocks.  This thing is ridiuclously fast.  You really need to see a demo to appreciate the speed, but I have never seen something do look ups for reporting as fast as it does.  And it maintains this speed while simultaneously not degrading its performance on capturing events.  It is based off their Nitroedb database, which was originally designed for the government, and it is very, very fast.

And speaking of the reporting, a known fact is that many SIEM products either do a good job at capturing and storing events, or they do a great job of reporting (I wrote about that dynamic at my CW blog).  However, NitroView does a great job with both.  The reporting engine is nothing short of miraculous.  The drill down capability is wonderful, and the ease of use os beyond compare (they use Flash for the reporting front-end - very smart).

One thing the product lacked a couple of months ago was the ability to pull in many feeds from different devices.  However, they have done a superior job in getting that done.  They have taken a 80 / 20 view, making sure they capture the top 80 of the players, and that seems to be serving them well.

I have seen this product demo’d several times.  The customers are always just astounded at what this thing can do.  It is almost a guaranteed move to an evaluation when they see the demo.  Speaking of that, I am about to participate in a couple of evaluation installs here in Houston.  I can’t wait to get my hands on this thing.

Nitrosecurity also sells an IPS that I don’t have much experience on, so I can’t talk to it.  But I expect to be getting familiar with it very soon since we are also planning on putting it in at a customer fairly soon.  I do know that their Nitroview product can couple their IPS data with Netflow data to give some great event correlation.

It is worth a look.  Let me know what you think.

Vet

Is it just my imagination, or has there been a lack of security blogging meat here lately?  There have been a few things happening, but I am fairly bored with stuff right now.  The Mac Book hack over at Matasano was pretty cool, but I hinestly didn’t want to blog about it because it all just sounded like the typical “Bash Mac because of arrogance - Love Mac because it’s pretty” thing that goes around and around.

The typical ID theft stuff keeps happening.  No change there. 

The Virginia TEch and Johnson Space Center shootings really screwed up things, and I posted a short blurb on the VT massacre on my personal blog, but I usually don’t post about those things here.

I am not much of a product news guy, even though there have been a few things going on there.

What is going on?  I know it sounds kinda sick because I want something to happen.

Vet

The TRISC show is coming up in a month.  If you are in Texas and are interested in going, sign up soon.  There are some good keynotes, and yours truly is speaking there about using blogging as a research tool.  Download the brochure here.

I also found out yesterday that Cutaway, a blogging buddy of mine, will be there.  This will be the second time we have met.  We met at RSA in February at the blogger’s gathering, and I look forward to seeing him again.  He blogged about TRISC here. 

My other buddy Martin McKeay will be there as well.

I am planning on using both of these guys as props for my talk, BTW, so if you want to meet them, come to my talk.

Vet

Congrats to David Maynor at the Errata Security blog.  You are an official Information Security Place Orange Juice Award recipient for your hilarious post about the recent RIM Blackberry outage.  I know, I know,… you are honored and humbled.  No need to get mushy.

Seriously, that was funny stuff.  I especially like the part about the bloody hook.

And you were spot on with this comment:

A hiccup in one companies operation should not cause a continent of mobile users to suffer an outage.

Vet

Andy, IT Guy has accused me of being jealous about his blogging success and says I tried to run him off the road.  Well, here’s the truth Andy.  I never get my own hands dirty.  I have people to take of my light work.

And I also have inserted some code into your website, so I am tracking your stats.  I’ll let you know when you get too close.  When that happens, be looking for a couple of guys with accents and attitudes knocking at your door.

Vet

Looks like my friends at Alert Logic have received a top notch review from SC Magazine. Congrats guys!

Take a look here for the article (PDF).

Vet

 This is kinda funny.  Computerworld put out an article about 20 “must have” Firefox extensions.  Then, they put out an article on 10 Firefox extensions to avoid.  And in that “avoid” article, they talked about the NoScript plugin, a plugin that I use and love.  Here’s what they say about avoiding this plugin:

This extension is hugely popular and works as advertised, giving you control over which JavaScript, Java and other executable content on a page can run, depending on that content’s source domain. You whitelist the sites you consider safe and blacklist the sites you don’t.

If you really have a need for this kind of control, then you’re already using the extension and will continue to do so. But for the average Web surfer, constantly having to whitelist sites so that scripts can execute in order to give you a fully formed Web experience gets tedious very quickly.

Does NoScript make Firefox safer? Sure. Is it worth the hassle? No. For some reason, paranoia seems to be cool among Web geeks, but for the most part, it is totally unwarranted unless you’re sending and receiving sensitive data. Most typical Web surfers who install this extension remove it after the novelty wears off.

A few points:

1. If it is hugely popular, then obviously there’s something to it.

2. What I find most amusing about this is that the majority of Firefox users ARE geeks of some sort.   “Typical Web surfers” aren’t using Firefox near as much as IE.  And even if they are using FF, those that find this type of plugin even remotely interesting want it from a security aspect or just want to know what is running, so why even address this as a plugin to avoid?  This really makes no sense to me.

3. The article also says to avoid Greasemonkey (a plugin they had suggested as one of the “must haves” - that’s funny just by itself).  This plugin allows you to use your own Javascript to customize how webpages are displayed, and you can use scripts written by others.  This strikes me an inconsistent.  I know that this is not really the same, since these are really doing two different things, but they both use Javascript, and Javascript can be dangerous in either case.

4. They use the term “paranoia” like it is an insult or something to be avoided.  Dude, paranoia is a good thing!

Vet

Been covering for our Dallas SE this week and last week, so it has been crazy lately. I went from covering on sales rep to covering six, so I have been travelling to Dallas quite a bit (twice this week, and spent last night here). Hopefully I will be back in the swing of things next week.

Vet

In Dallas today doing a quick dive into the Websense Content Protection Suite . This is the information leakage protection product formerly known as PortAuthority. I looked at these guys a while back when I was a security manager. They get their accuracy by fingerprinting your data. Basically, they crawl your files and databases and match based on that versus just matching on a string that looks like an SSN or a driver’s license number, which can lead to high false positives (they can match on strings as well).

What also interested me today more was their explanation of when you actually have a compliance violation. Let’s say your HR person sends out an SSN via email. Your first inclination is that you have a violation on your hands. But if you send an SSN without a name or other identifiable info that can be tied to that SSN, then you have no violation. And like I said above, matching on strings can lead to false positives, so you can avoid that with this technology.

They can filter http, ftp, smtp, IM, and some others. As soon as I get a more in depth demo, I will talk more about it.

Vet

A client called me at 8:30am yesterday in a panic because they have the Rinbot worm running around in their network. The client is actually a former employer of mine, and they still have much of the same hardware and software when I was there 6 years ago, which means Dell Pentium 3 400Mhz servers and NT 4.0. They kept cleaning up their servers and getting re-infected, so something was getting missed. They have servers spread out between their corporate site and their colocation facility, and the link between the two is a fiber link that has no firewall or any real segmentation at all. So, getting all the servers clean has proven problematic.

The recommended patch for NT to stop Rinbot didn’t work, so I had them temporarily disable the IPC$ share on their important servers, and today we are going to try Determina’s HIPS product to see if we can stop it and identify where it is coming from. We’ll see what happens.

It’s been a while since I have had to fight one of these buggers. It was actually quite refeshing. Something different, and it brought back memories.

Here’s a pretty cool blog post about Rinbot.

Vet

My wife and I had to travel to Dallas in separate vehicles on Monday. We came back yesterday. I was following her, and we both stopped for a bio break and to get some gas. We both pulled up to the gas station at the same pump, here minivan on one side, my car on the other. I used my credit card on my side of the pump, then I handed the same card to her on the other side. So we had two transactions on the same card at the same gas station at the same pump with 15 seconds of each other.

Now I know I just presented a scenario where this could happen. But my mind immediately started wondering if I was going to get a call from Visa. This just seems like the type of thing that should kick off a warning. I wouldn’t think they would wonder if my wife had used her card and I had used mine, since obviously we can be in two different locations at the same time. But I don’t think this would be classified the same way.

Of course, I did receive calls when I started travelling to Dallas frequently, but after the second time I told them that I would be going to Dallas a lot, so I think they started filtering those transactions. But I wonder if this should not have set off something.

Vet

Want some training on defeating rogue AP’s? Want to learn how to defend against Google hacking. Well, you’re in luck!! Douglas Haider is a buddy of mine, and he is and one of Accuvant’s Senior Wireless Security Consultants. He is teaching some SANS courses in the Dallas and Irving areas. This dude knows his stuff. You don’t want to miss these classes. Below is the information release on the courses.

Vet

*****************************************************
The SANS Institute is pleased to bring the Stay Sharp training program
to Dallas and Irving! We invite you to participate in the following
classroom sessions with Stay Sharp Instructor Douglas Haider:

* Security 450: Defeating Rogue Access Points
Monday, May 7, 2007 - 6:00pm-9:00pm
Dallas, Texas
http://www.sans.org/info/4686

* Security 550: Google Hacking and Defense
Wednesday, May 30, 2007 - 9:00am-12:00pm
Irving, Texas
http://www.sans.org/info/4691

**SPECIAL OFFER**
Register for both of the above classes and receive a 10% discount off
your tuition fees! Please e-mail staysharp@sans.org for a discount code
BEFORE registering online as discounts are not retroactive.

Complete course descriptions and event details for these classes can be
found by clicking on the links above. Take advantage of small class
sizes and a convenient location to learn a specialized technical skill
in a single evening. Space for these classes is limited, so register
today while there are still seats available!

Alumni of SANS’ Stay Sharp Program agree on the value of this training:

“Very practical and to the point.” - Lyn Champagne, Dept of Justice

“A lot of information for an investment of just 3 hours.” - John
Broyski, Hudson Valley FCU

“Learned a great deal about tools I thought I already knew how to use.
Well worth my time.” - Frank Giachino, Rechitel

SANS Stay Sharp Program is bringing hands-on practical training right
to you! Don’t miss out on this great opportunity to build and maintain
your technical skills. We hope to see you there!
*****************************************************

 Cobia Beta has been released by StillSecure. Cobia is similar to UTM, but it is combining a lot of different aspects of networking as well as security in one package. I have done some alpha testing on the product, though I have not been able to really sink my teeth into it yet. I like the interface, and the idea is good. I will be taking some time (like I have much of that) to get a good look into Cobia, and I will be posting a review sometime soon hopefully.

Disclaimer: The StillSecure guys are good friends of mine. However, I think I can be impartial (how much was that check for, Mitchell?)

Go here to take a look at Cobia.

Vet

Take a look at this link. I think this is a splog (spam blog) about taxi’s. It picked up my post about the cab driver incident involving Alan, Mitchell, and myself when we were at RSA. I don’t think I have ever been linked by a splog before. Weird.

Vet