FUG-BR / Grupo Brasileiro de Usuarios de FreeBSD

22.11

Inicio

RSS

Principal

Contador Usuários FUG

DOC-BR (FUG BR)

+ Noticias

Sem conta? Crie uma

RSS
TaoSecurity
Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.
Managing Security in Economic Downturns You don't need to read this blog for news on the global economic depression. However, several people have asked me what it means for security teams, especially when Schneier Agrees: Security ROI is "Mostly Bunk". No one can generate cash by running a security team; the best we can do is save money. If your security team generates cash, you're either a MSSP, a collection agency of some sort (these do exist, believe it or not!), in need of being spun-off, or not accounting for all of your true costs. Putting the ROI debate aside, these are tough economic times. Assuming we can all stay employed, we might be able to work the situation to our advantage. Nothing motivates management like a financial argument. See if one or more of the following might work to your advantage, because of the downturn. Promote centralization and consolidation. The more large organizations I've joined, consulted for, or met, the more I see that successful ones have centralized, consolidated security teams. There's simply not enough skilled security personnel to protect us, and spreading the talent across large organizations leaves too many gaps. Think of the pockets of talent distributed across your own company, and how their skills could be applied organization-wide if properly positioned. If head counts are threatened, make a play for creating a single central group that helps the whole company and bring the best talent into that team. Convert business security leaders into local experts/consultants. If you work within a large company, your individual business leaders may not like seeing their local staff join a larger company-wide organization. However, those that remain in the business should now be free to focus on what is unique about their business, instead of the minutiae of managing anti-virus, firewalls, patches, and other "traditional" security measures that are absolutely vanilla functions which could be outsourced overseas in a heartbeat. What's more valuable, a security leader who can run an AV console, configure a firewall, and apply a patch, or one who can advise their business CEO on the risks, regulations, and realities of operating in their individual realm? Notice I said leader and not technician. Technicians do the routine tasks I mentioned and are ripe for outsourcing; don't cling to that role unless you wanted to be replaced by a Perl script. Advocate standardization where it makes sense. For example, is it really necessary to have more than one "gold image" for your common desktop/laptop user? Why develop your own image when the Federal government is doing all the work for you with the Federal Desktop Core Configuration? Turn the team that creates your own image into a much smaller one that tweaks the FDCC, and redeploy the personnel where you need them. Cut through bureaucracy and authority barriers with a financial knife. This one really bugs me. How many incident responders out there lose time, effectiveness, and data because 1) you don't know who owns a victim computer; 2) finding someone who owns the computer takes time; 3) getting permission to do something about the victim requires more time? You can probably make a case for reduced help desk costs, fewer support personnel, and faster/more accurate/cheaper incident response if you gain the authority to perform remote live response and/or forensics on any platform required, minus some accepted and reasonable exclusion list. This requires 1) good inventory management; 2) forensic agent pre-deployment or administrator credentials to deploy and agent or scripts as necessary; and 3) mature processes and trained people to execute. Simplify and build visibility in. An example comes from my post Feds Plan to Reduce, Then Monitor. What's cheaper than 1) identifying all your gateways; 2) devising a plan to reduce that number; and 3) building visibility in? Step 1 takes some effort, step 2 might strain your network architects, and step 3 could require new monitoring platforms. However, when done, you're spending less money on gateways, less time scoping intrusions, and less resources on scrambling during incident response because you know all the ways in and out of your organization -- and you can see what is happening. This is a no-brainer. Move data, not people. This is the principle I mentioned in Green Security. I'm sure your travel budget is being cut. Why fly a security person around the world when, if you achieve the goals in step 4, you can move the data instead? And, if you're building visibility in, you have more data available and don't need to scramble for it. Wrap everything in metrics. This one is probably the most painful, but it's definitely necessary. If you can't justify your security spending, you're more likely to be cut in a downturn. This doesn't mean "security ROI." What is does mean is showing why your approach is better than the alternatives, with "better" usually meaning (but not always) "cheaper." It can be difficult to capture finances in our field, but I have some ideas. One is intrusion debt. If you've recently hired any outside consultants to assist with security work, their invoices provide a ton of metrics opportunities. (You have a tangible cost that you wish to avoid by taking steps X, Y, and Z in the future.) Metrics can also justify team growth, which is the next step out of the downturn. Be ready! If you have any ideas, please post them here. I think this is an important topic. Thank you. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Tips for PSIRTs If your company sells software, you probably need to have a Product Security Incident Response Team (PSIRT). The PSIRT should act as the single point of contact for any user of your product to report and coordinate security problems with your software product. Examples of PSIRTs include: Cisco Product Security Incident Response Team Microsoft Security Response Center Intel Product Security Center I think you can tell how serious a company takes security by the way they promote their PSIRT, obscure its existence, or not even operate one. Try comparing Oracle to Cisco, for example. If you're looking to start a PSIRT, Chad Dougherty's Recommendations to vendors for communicating product security information post on the CERT blog is a great start. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Snort Report 21 Posted My 21st Snort Report titled Understanding Snort's Unified2 output has been posted. From the article: Welcome to the 21st edition of the Snort Report! In July 2007 I described Snort's Unified output, first released in July 2001 with Snort 1.8.0. Unified output allows Snort to write sets of data to a sensor's hard drive. Writing to the hard drive, instead of performing database inserts, allows Snort to operate faster and minimize packet loss. Unified2 output first appeared in Snort 2.8.0, released in September 2007. I came across this comparison of Unified and Unified2 format at SecurixLive.com but didn't get to include it in my article. If you're worried about the Barnyard2 implementation at SecurixLive having licensing issues, the author is addressing those as we speak; he did not intend to cause any trouble. So, I am looking forward to seeing greater adoption of Unified2 formats once solutions like those in my article are tested. Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Intellectual Property: Develop or Steal I found the article Internet thieves make big money stealing corporate info in USA Today to be very interesting. In the past year, cybercriminals have begun to infiltrate corporate tech systems as never before. Knowing that some governments and companies will pay handsomely for industrial secrets, data thieves are harvesting as much corporate data as they can, in anticipation of rising demand... Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division. Who buys stolen business data? Brett Kingstone, founder of Super Vision International (now Nexxus Lighting), an Orlando-based industrial lighting manufacturer, knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology. That intelligence made its way into the hands of a Chinese entrepreneur, Samson Wu. In his book, The Real War Against America, Kingstone recounts how Wu obtained Super Vision's detailed business plans, built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures, complete with warranties referring complaints to Super Vision. "They had an entire clone of our manufacturing facility," says Kingstone, who won a civil judgment against Wu. "What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months..." In the past nine months, data thieves have stepped up attacks against any corporation with weak Internet defenses. The goal: harvest wide swaths of data, with no specific buyer yet in mind, according to security firm Finjan... "Cybercriminals are focusing on data that can be easily obtained, managed and controlled in order to get the maximum profit in a minimum amount of time," says Ben-Itzhak. Researchers at RSA, the security division of tech systems supplier EMC, have been monitoring deals on criminal message boards. One recent solicitation came from a buyer offering $50 each for e-mail addresses for top executives at U.S. corporations... Meanwhile, corporations make it all too easy, say tech security experts and law enforcement officials. (emphasis added) We know amateurs study cryptography; professionals study economics, and this explains why. $1.4 million over six months vs $10 million over 10 years makes theft the more attractive proposition for those outside the law. I'm often asked how we should think about "winning" our current cyber conflicts. I like to consider two metrics. Information assurance is winning, in a broad sense, when the cost of stealing intellectual property via any means is more expensive than developing that intellectual property independently. Information assurance is winning, in a narrow sense, when the cost of stealing intellectual property via digital means is more expensive than stealing that data via nontechnical means (such as human agents placed inside the organization). Number 1 is preferred when you consider your organization as a whole. Number 2 is preferred if you only care about making IP theft the problem of your physical security organization! Obviously I prefer number 1 if possible, but achieving number 2 is more achievable in the medium to long term. This echoes the comment I made in Ten Themes from Recent Conferences: We can not stop intruders, only raise their costs. Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.? Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Laid-off Sys Admin Story Makes My Point I read this great story by Sharon Gaudin titled Laid-off sysadmin arrested for threatening company's servers: A systems administrator was arrested in New Jersey today for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off... Viktor Savtyrev, of Old Bridge, N.J., was arrested at his home Monday morning. He faces two charges under the federal cyberextortion statute... Late in the morning of Thursday, Nov. 6, Savtyrev allegedly used a Gmail account to e-mail the company's general counsel and three other employees, saying he was "not satisfied with the terms" of his severance, according to FBI Special Agent Gerald Cotellesse in the complaint. Savtyrev allegedly threatened to cause extensive damage to the company's computer servers if it would not increase his severance pay, extend his medical coverage and provide "excellent" job references. The sysadmin also threatened to alert the media after attacking the server. Now, I know many of you are saying "See! The insider threat is so terrible!" I look at this story and think the opposite. This story exemplifies the point I made in Of Course Insiders Cause Fewer Security Incidents. If the potential intruder in this case had been an adversary in East Slobovia, the victim company would have no recourse. The bad guy could take whatever action he wants because no on can touch him. Because the potential intruder was an insider, the victim company knew who he was, where he lived, and could enlist law enforcement help to arrest him. Like I also said in the previous post: However, as I've said elsewhere, insiders will always be better informed and positioned to cause the most damage to their victims. They know where to hurt, how to hurt, and may already have all the access they need to hurt, their victim. This is another strike against those who believe in vulnerability-centric security. No company has air-tight defenses, so even if you do a good job revoking access from ex-employees they still can strike back. At least when they are former insiders you have a chance of putting them out of commission by striking at the threat, not patching more holes. Richard Bejtlich is teaching in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Marcus Ranum on Network Security I liked this interview with Marcus Ranum titled Marcus Ranum on Network Security: Q: In your opinion, what is the current weakest link in the network security chain that will need to be dealt with next year and beyond? MJR: There are two huge problems: Software development and network awareness. The software development aspect is pretty straightforward. Very few people know how to write good code and even fewer know how to write secure code. Network awareness is more subtle. All through the 1990s until today, organizations were building massive networks and many of them have no idea whatsoever what's actually out there, which systems are crucial, which systems hold sensitive data, etc. The 1990s were this period of irrational exuberance from a security standpoint - I think we are going to be paying the price for that, for a long time indeed. Not knowing what's on your network is going to continue to be the biggest problem for most security practitioners... The real best practices have been the same since the 1970s: know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to "need only" and segment your networks. Those are the practices and techniques that result in real security. (emphasis added) One way to begin this process is to hire an Enterprise Visibility Architect with the authority to figure out what is happening inside the organization. Richard Bejtlich is teaching in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central Last month I posted BGPMon.net Watches BGP Announcements for Free. I said: I created an account at BGPMon.net and decided to watch for route advertisements for Autonomous System (AS) 80, which corresponds to the 3.0.0.0/8 network my company operates. The idea is that if anyone decides to advertise more specific routes for portions of that net block, and the data provided to BGPMon.net by the Réseaux IP Européens (RIPE) Routing Information Service (RIS) notices the advertisements, I will get an email. Well, that started happening last night: You Receive this email because you are subscribed to BGPmon.net. For more details about these updates please visit: http://bgpmon.net/showupdates.php ==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 3.0.0.0/8: Update details: 2008-11-11 01:55 (UTC) 3.0.0.0/8 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multimídia) ASpath: 27664 16735 I got four more updates, the last at 2008-11-11 02:59 (UTC). These alerts indicated that AS16735 (Companhia de Telecomunicacoes do Brasil Central) was advertising routes for my company's 3.0.0.0/8 netblock. That's not good. When I saw that I initially assumed we were the only ones affected. Early today I read Prefix hijack by AS16735 on the BGPMon blog stating the following: Between 01:55 UTC and 02:15 267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes do Brasil Central), hence a full table ?leak?. After that more updates were detected. The last hijack update originated by AS16735 was received at 03:07 UTC. So the ?hijack? was there for about 75 minutes As far as I can see the only RIS collector who saw this hijack was the one in Sao Paulo, Brazil (PTTMetro-SP), there it was seen by a few RIS peers. This means that Companhia de Telecomunicacoes do Brasil Central advertised routes for the whole Internet. It was a mistake; no one does that on purpose. The NANOG mailing list has a thread on this event if you want to see what others reported. A look at the RIPE AS Dashboard for AS 27664, a transit AS, shows the spike in BGP updates per minute caused by this event. Unfortunately, I do not see one for AS 16735, the culprit here. Good work BGPMon! Richard Bejtlich is teaching in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Bejtlich Teaching at Black Hat Europe 2009 Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat Europe 2009 Training on 14-15 April 2009 at the Mövenpick City Centre in Amsterdam, Netherlands. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. This is my only scheduled class outside the United States in 2009. The short description says: This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation, and response for digital intrusions. Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you need answers to these questions, TCP/IP Weapons School 2.0 (TWS2) is the Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. TWS2 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Registration is now open. Black Hat set the four price points and deadlines for registration: Early: Ends Feb 1 Regular: Ends Mar 1 Late: Ends Apr 1 Onsite: Apr 14 Please join me in Amsterdam next year for TCP/IP Weapons School 2.0. If you've attended previous classes, even TCP/IP Weapons School, the new class is brand new and you're definitely welcome back. This will be the same class as the one I teach in DC in February 2009, however. Thank you. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Bejtlich Teaching at Black Hat DC 2009 Training Black Hat was kind enough to invite me back to teach a new 2-day course at Black Hat DC 2009 Training on 16-17 February 2009 at the Hyatt Regency Crystal City in Arlington, VA. This class, completely new for 2009, is called TCP/IP Weapons School 2.0. This is my only scheduled class on the east coast of the United States in 2009. The short description says: This hands-on, lab-centric class by Richard Bejtlich focuses on collection, detection, escalation, and response for digital intrusions. Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you need answers to these questions, TCP/IP Weapons School 2.0 (TWS2) is the Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. TWS2 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Registration is now open. Black Hat set the four price points and deadlines for registration: Early: Ends Jan 1 Regular: Ends Feb 1 Late: Ends Feb 11 Onsite: Feb 16 Please join me in the DC area next year for TCP/IP Weapons School 2.0. If you've attended previous classes, even TCP/IP Weapons School, the new class is brand new and you're definitely welcome back. Thank you. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) Securix-NSM 1.0 Released Yesterday I read A successor is born... Securix-NSM 1.0. Securix-NSM is a Debian-based live CD that is the fastest way I've ever seen for a new user to try Sguil. All you have to do is download the 280 MB .iso, boot it, and follow the quick start documentation. Those steps are basically: Open a terminal. Execute 'sudo nsm start'. Double-click on the Sguil client icon. Log into Sguil. To test Sguil, I executed 'apt-get install lynx' then visited www.testmyids.com. In the screenshot you'll see the default Sguil installation generated two alerts. I was able to generate a transcript and launch Wireshark. However, SANCP session records did not appear to be inserted into the database although SANCP was running. I suggest trying Securix-NSM if you'd like to try using Sguil but have no experience setting it up. Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

[Voltar]

FUG-BR - Espalhando BSD

Dicas Rápidas:

Acabou de atualizar o ports? Não se esqueça de ler o /usr/ports/UPDATING, para evitar ter que descobrir sozinho, ao custo de seu tempo, o que já está documentado.

Wallpapers

Online:
Nós temos 17 visitantes online

FUG-BR: Desde 1999, espalhando BSD pelo Brasil.