An Information Security Place

Daniel Miessler has posted a pretty good breakdown of the differences between the GSEC cert and the CISSP cert.  He is coming at it from the aspect of which one involves more technical savvy. 

Without a doubt the GSEC is the more technical of the two.  I have both, and the GSEC was infinitely more technical and required much more study and dedication.  Yes, it is open book.  But you try to read through those books and find all the correct answers in the time allotted (of course, if you have the old PDF files, you stand a better chance).

The CISSP was difficult just because of the sheer magnitude of it and the number of different areas you have to have knowledge of.  But as Daniel says, you can cram for that and then forget it.  The GSEC really does not work that way.

So for the most part, I agree with Daniel’s post in its intended premise, which is that GSEC is more technical in nature.  However, both serve different purposes, so I believe both are valuable.

Vet

Motorola just got awarded some patents this year, and they claim Aruba is selling that same technology.  Take a look here.

Vet

Here’s a USA Today story about the shoe scanner getting the boot (get it?? the boot?? Come on, that was funny!!).

Vet

Looks like Mr. Mogull is on his own now.  He gave some good years to Gartner, learned a lot, and now he is running the independent race.  And that means he can blog on security again… WOO HOO!!  That also means that I can put him back into my “Security Blogs” feed in BlogBridge (you were in the Misc catergory for a while Rich – sorry). 

I am looking forward to reading your viewpoints on security again, Rich.  Welcome back!  And good luck with the new venture.

Vet

OK, here’s the post I promised on why I agree that IDS is not dead and won’t be for a while.  What it all essentially comes down to is reality.  In theory, the way anyone’s network should be designed is in the fashion of the Core-Distribution-Access methodology. 

First of all, this is obviously a very simplified diagram, so don’t slam me on that point please.  I didn’t feel like getting crazy complicated on the drawing.

Anyway, instead of typing out my own description of this model, let me just quote Cisco (got it from here):

In a well-formed hierarchical network, there are three easily defined layers, traditionally referred to as the access, distribution, and core layers.

Each of these layers provides a different function. The layers do not need to exist in clear and distinct physical entities, but the functionality needs to exist in an enterprise network. To help understand these functional layers, the traditional layers have been modified to access or workgroup, distribution or policy, and core or backbone.

The main function of the access or workgroup layer is to connect users. Other functions represented by this layer are shared bandwidth, switched bandwidth, MAC-layer filtering, and micro segmentation. LAN switches, for example the Catalyst 5000 and Catalyst 5500 switches, exist most commonly in this layer of the network.

The distribution or policy layer performs the policy-based operations. It performs the complex, CPU-intensive calculations such as filtering, access lists, inter-VLAN routing, Group Multicast Protocol (GMP), broadcast and multicast domain definition, and address or area aggregation. This layer may also contain the local servers. ATM switches and routers reside in the distribution layer, and sometimes LAN switches may reside here as well.

The core or backbone layer is the backbone of the network. It should be high-speed and concerned mainly with switching traffic as quickly as possible. It should not get involved in “expensive” packet manipulation. ATM connections or Fast Ethernet connections, which functions as a backup, should make up the core backbone. The central servers may also be attached to the high-speed backbone in the core. ATM switches, high-speed routers, and sometimes LAN switches can be found in the core.

Now, I don’t agree with the statement about central servers in the last sentence.  Though it probably made sense from a speed standpoint a few years ago, it really is not essential in today’s high speed networks.  And it breaks some security rules as well, especially in today’s PCI world (segmentation is king).  But beyond that, I agree with this write up.

And IF you are setup like, IPS can fit very well in your environment as stand alone boxes or in a UTM.

I didn’t label them very well, but if you look close, you will see the IPS boxes guarding the core by being placed on the lines coming from the distribution layer.  In this scenario, you are effectively creating a ring around your core.  You also have almost perfect knowledge of what is going on in your network because almost everything is going to hit your core eventually.

But if you notice on the first picture, I labeled it “How it should be”.  If you have this model, or you have enough money to re-architect your network, then you can guard your core with a proactive solution and have a very good idea of what is running around in your network.  But here’s what most people’s networks actually look like:

Tell me I’m wrong!

I’m a realist for the most part (I have a lot of ideals, but they mostly just get me in trouble).  And above is real world.  There is an IPS here, but it is installed in the typical fashion of guarding the Internet connection.  You can see what is coming in and going out, but all the craziness going on inside your network is about as visible as a Baptist on the front pew on Sunday (I was raised a Baptist, so I can say that).  You are guarding your network from the bad guys OUTSIDE, but everyone inside is having a good ol’ time playing and fiddling and whatever else, and you can’t see it.

So if you can’t re-architect, and you can’t put HIPS everywhere, and you can’t put an IPS everywhere, and that IPS blade seems like a pipe dream, and that security in every switch seems like an even bigger pipe dream, then what do you do?

Now you have an IDS on a span port, and you can see what is going on.  Do you have a proactive solution?  No.  But is this a useless installation of IDS?  Alan asked on my CW blog:

What good is the visibility if you can’t do anything about it?

To that I answered:

Alan, I think visibility is a very good thing to have in your network, even if you are having to act reactively to it. Proactive is definitely preferable, but with most IPS deployments being inline, you cannot see what is happening inside your network. You can only see what is going in and out of your network.

Basically, if I do not have the infrastructure in place to react, why would I choose to ignore it? I still want to know it is happening. Thinking that data is useless is ridiculous.

Again, I think automation is preferable, just as you say in your post. But I don’t think everyone is at a point to have that, even in the next 5 years. From a realistic POV, I see people WANTING stuff every day, but when I give ‘em a price tag, they yak all over the place. So as long as those people can buy an IDS and throw it on a span port and get some info as to what is going on in their network, then manufacturers will build the IDS.

That is just real world.  I have lived in that world.  I know what it is like not to have the money to build the perfect network.  I had an IPS on my ingress / egress Internet point.  I could see and block the baddies right there.  But I had no clue what was happening inside my network.  IPS wasn’t going to do me much good on a span port (I don’t like throwing a bunch of TCP resets on my network – it just ain’t pretty).  So I installed an IPS, and I installed a SIM tool so I could do some filtering and some better reaction, and I got the best I could get.

So that is why I think IDS is here for a while.  IPS will get rolled into UTM.  Eventually maybe it will get rolled into the switches and core switches in a reliable fashion that is also affordable.  Until then, why not have an idea of what is going on in your network?  You have to have visibility if you are going to do anything about it.  Better to react than not act at all!

OK, enough for today.  Have a good weekend everybody.

Vet

I wrote a while back about how selling to government sucks because of the RFP process you typically have to go through.  Well, my boss just pointed out this book to me.  The advise for answering RFP’s is priceless.  Even if you will never answer an RFP yourself, read this to know some of the pain organizations go through in answering RFP’s.  Great stuff.

Vet

I was at a client site the other day…  Wait a minute.  I just realized how often I open posts with that line now.  I feel like Snoopy: It was a dark and stormy night!

Anyway, I was visiting a client the other day (yea, that’s better ), and I was accompanied by my sales guy and a sales guy from a vendor with which Accuvant partners.  My sales guy had invited the partner on the call, and then let me know a couple of days ahead of time that this was going on and that I needed to be there because the vendor’s sales guy was not going to have an SE available from his company.  I am fairly familiar with this particular partners products.  I have used them a lot in the past.  But during the meeting, the conversation turned specifically to a particular product line, and it just so happens that I am not as familiar with this product. 

So long story short, I basically had to admit in the meeting that I did not know the product line very well and I would have to do some research.  Now the customer had no issue with that at all, but I could tell that the partner was none to happy. 

Now generally, I could not care less about what partners think of me.  I have been in trouble before with vendors, and I will be in trouble again I am sure.  But in this particular incident, I felt like I had not done enough prep before hand and had done a disservice to the partner.

Anyway, the meeting went forward and turned to more security-centric talk, such as where they should place IPS, etc.  The sales guys got bored for a while because we got to whiteboarding a bit, but it turned out real well, and the customer ended up giving me some kudos because I pointed out some issues he had not considered.  And several times during the technical talk I pointed out products that the vendor had that could help with certain problems.  So me and my sales guy left feeling like the meeting went well, and I am pretty sure the customer felt the same.  But I still am not sure what the vendor’s sales guy thought.

As a pre-sales engineer, I am expected to know product as well as have in depth security knowledge.  Now I know which one I am better at (three guesses), but I realize the reality of these types of situations.  But as a VAR pre-sales engineer, I am expected to know a BUNCH or products.  It can be a little crazy at times.

So really this is just some thoughts on my blog about this.  I don’t know that I have a specific point.  But for some reason it just struck me to write about this.

Vet

Don’t ask why.  Just felt like posting it.

Vet

OK, this is hilarious.  Looks like Toys ‘R Us WAS carrying this “toy” (the link at Toys ‘R Us doesn’t work any more – my guess is because a lawyer got involved, but who knows).  Here’s what Matt Blaze had to say about it on his post:

As strongly as I feel about the evils of illegal wiretapping, I must admit to having decidedly mixed feelings here. No, kids, don’t tap your neighbor’s phone. But unraveling the once-forbidden mysteries of telephone electronics has a way of pulling a young geek into a lifetime of technological exploration. It certainly did for me.

I never got into phreaking and hacking at an early age (wish I did, but being raised in back-woods Mississippi introduces some limitations).  However, I did see Wargames, which inspired the crap out of me like so many other kids of that age.  And I had an electronics kit which I learned a few things from.  And having three kids, I know it is hard to tell a kid no when they want to do something like this, especially if it is in a controlled environment.  Kids typically learn from experimenting much better than reading books (I know I did and still do).

Of course, if you have a kid like Calvin , then you might want to keep this out of his / her hands for a while:

Of course, if you like jacking with your kid’s mind like Calvin’s father, then you might have a clue why your kid is like that.

Vet

Looks like Google and Microsoft (Hotmail) are getting smacked by the HotLan trojan now, which evidently is finding a way around the captcha system they have in place to stop automated email account creation.

From this article:

According to Viorel Canja, head of BitDefender Antivirus Lab, around 514,000 Hotmail accounts were created as of last Friday, as well as about 49,000 Gmail accounts.

And this:

“However, it is worth noting that while most of the Hotmail accounts are operational, Gmail accounts get blocked pretty fast, usually about a couple of days after being created,” said Canja.

Not sure whether to laugh at MS or feel their pain, since they had 514,000 versus 49,000 for Google.  But that also begs the question of why Hotmail got hit so much harder.  Was it poor security or just the fact that they are Hotmail?

Vet

My buddy Don Weber is mentoring for the GSEC course down in Corpus Christi, TX.  Don brings a lot of practical knowledge to SANS, something the mentoring program is known for.  I have taken the mentoring program, and it really prepared me for the GSEC test.  Definitely recommended.  And like Martin said in his pimp post, if you take this course you are making a great contact in the security industry.

On top of all that, Don is just a plain ol’ great guy.

Vet

If you don’t normally read my blog at Computerworld, do me a favor and take a look at my latest post over there.  This subject is something that really irks me. 

Vet

http://www.rsa.com/press_release.aspx?id=8631

Vet

Been getting a steady flow of greeting card spam trying to get me to visit some different sites.  All the IPs are in the bowels of Comcast.

Hi. Friend has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card’s direct www address below while you are connected to the Internet:

http://98.199.79.254/?8911e6c36a4bc955099675c500

Or copy and paste it into your browser’s “Location” box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Administrator,
AmericanGreetings.Com

Hi. Neighbour has sent you an ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card’s direct www address below while you are connected to the Internet:

http://24.34.120.226/?71d7d41977bc649ea95523893

Or copy and paste it into your browser’s “Location” box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Administrator,
netfuncards.com

Hi. Worshipper has sent you a greeting card.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card’s direct www address below while you are connected to the Internet:

http://71.203.99.209/?3c5c036b0339eb3a6075338ee7c

Or copy and paste it into your browser’s “Location” box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Webmaster,
egreetings.Com

Update: I posted this and then went looking at some other blogs.  I found this on the Symantec blog State of Spam post:

Greeting card spam containing links to viruses was seen in higher than usual numbers in July. More than 250 million Symantec customers were targeted with these message types. Around the Fourth of July a particularly large outbreak was seen and blogged on. The content of the greeting cards consists of an exposed IP address in most cases, which is a very good indicator that the card is not genuinely good. These exposed IP address links were downloading Trojans onto computers. A sample of this message type can be seen in the August State of Spam Report.

Vet

OK, Alan and and Dominic, what is the deal?  Why are you guys beating each other up?  In fact, why is Alan getting into a punching match every other week with either another NAC vendor or someone who doesn’t like NAC?  Why is there always such controversy over NAC?

I believe there is one big reason for this: no one does it exactly the same.  From pre-admission to post admission to with or without an agent to inline or out of band, yada yada yada.  But when all of these guys and gals start going for each others throats, it just makes me wonder if it is all ever going to come out in the wash.  Which one will succeed?  Will one form of NAC win out in the long run?

There may be one form of NAC that is a better fit in most environments, but I am not sure that any one form will beat out the rest.  Environments are still different, and there are always solutions that fit better in those different environments.

Of course, if all the NAC vendors get together for a cage match…

Vet

OK, I am officially depressed.  Here’s Richard Bejtlich’s impression of the state of security after one day at BlackHat:

My overall impression from the first day of briefings can be summarized in this manner.

• Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
• Detecting current attacks in “real time” is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by “rich Internet applications” and frameworks. I realized that the “rich” in “RIA” refers to the money intruders will make by exploiting Web clients.
• The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get “ahead of the threat” here.

Holy crap.  What in world am I doing then?  I guess making money off some poor, ignorant bastards who have no idea that every effort we are making is totally useless.  Well, I guess in order to maintain my integrity, I should just quit.

Sheesh.

Vet

I know I am late on posting about this (I am out of whack – trying to sell the house, been sick, had my parents in for two days, my middle child turned 5, working on multiple RFPs, etc, etc, etc.).  But when I saw Andy’s post about this WSJ article about how to evade your company’s security measures, I about crapped my pants.  What an idiotic article!

Vet

Sorry that I have not been blogging a lot lately.  Still getting over my flu or whatever it was.  I am trying to get back into the swing of things.  I hate it when I am not blogging on a regular basis.

Vet