The line between Black and White is often understood to be the law itself, i.e. if you’re a hacker, cracker or even a “skidie”, your hat changes colour the minute you go from having permission to do something to not having permission.  I however wager that if we were to exact that understanding on every security expert in this field of expertise, today, it would be a near 100% perfect sea of Black Hats.

So the question becomes, if that’s the case, are we all really the “bad guys”? I put to you a different concept, I different way of thinking about this that, personally, I think fits much better.

First of all let’s forget about hats and the law and look at a couple of basic concepts. Motivation is the activation or energization of goal-oriented behaviour and  is defined as intrinsic or extrinsic. Intrinsic motivation comes from rewards inherent to a task or activity itself – the enjoyment of a puzzle or the love of playing whereas Extrinsic motivation comes from outside of the performer. Money is the most obvious example, but coercion and threat of punishment are also common extrinsic motivations.

Another point of consideration is Goal orientation, often seen as an aspect of an individual’s motivation. An individual’s goal orientation describes the goals that they choose and the methods used to pursue those goals. One of the most common conceptualizations of goal orientation is the three factor model, that is, individuals can be described in terms of goal orientation based on three factors:

• mastery,
• performance-approach, and
• performance-avoid.

Individuals with a mastery goal orientation seek challenging tasks and value learning. Highly performance-approach oriented individuals seek tasks that allow them to demonstrate the skills they already possess, and highly performance-avoidant tend to avoid tasks where they may fail and thus appear incompetent.

The final aspect to consider in this equation is an agent’s intention in performing an action. In so much as his or her specific purpose in doing so, the end or goal that is aimed at, or intended to accomplish. In recent years, there has been a large amount of work done on the concept of intentional action in experimental philosophy. This work has aimed at illuminating and understanding the factors which influence people’s judgments of whether an action was done intentionally. For instance, research has shown that unintended side-effects are often considered to be done intentionally if the side-effect is considered bad and the person acting knew the side-effect would occur before acting. Yet when the side-effect is considered good, people generally don’t think it was done intentionally, even if the person knew it would occur before acting. The most well-known example involves a chairman who implements a new business program for the sole purpose to make money but ends up affecting the environment in the process. If he implements his business plan and in the process he ends up helping the environment, then people generally say he unintentionally helped the environment; if he implements his business plan and in the process he ends up harming the environment, then people generally say he intentionally harmed the environment. The important point is that in both cases his only goal was to make money. While there have been many explanations proposed for why the “side-effect effect” occurs, researchers on this topic have not yet reached a consensus.

So now we understand a little about motivation, goals & Intentions, what really makes the “bad guy” bad? Well its worth adding into themix that the “good guys” and “bad guys” all have the same level of skill, they all learned it the same way and they all have the same aptitude (loosely speaking of course). In fact during the learning process its probably fair to wager that on occasion everyone ended up, purely through exploration, somewhere they shouldn’t have been.  Does this make us all “bag guys”?

I certainly do not think so. In my opinion, motivation, goals & intent are what separate the good from the bad, and in this context the “White Hats” from the “Black Hats”. Let’s look at an example. the CERT Coordination Centre came up with an interesting classification matrix, which I have provided below as a diagram:

In the above diagram, we see six types of attacker (as well as a virtual 7th type that could be all 6 in a different context), six types of motivation and four goals.  It is assumed in  this classification, as insinuated by the word “Attacker”, that we are dealing with the “bag guys” or Black Hats here, however, I would argue that the first type, “Hacker” has a motivation and goal that is not negative or in fact malicious in any way, so should they also be considered a “bad guy”?  Its fair to say, someone hell bent on the quest for knowledge in that particular classification may take a devil may care approach that could have a negative impact on the systems they are exploring, but again, is this malicious intent, or just carelessness?

In summary I put it to you that there are no White Hats, or Black hats in the world today, just Shades of Grey, and that only motivation, goals and intent separate those of us trying to help from those who have a more nefarious purpose.

Like

Unlike

                          

Related posts

• PenTest Straw Poll (0)
• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)

First of all, lets define what we are talking about. There is a simple definition for Cloud Computing, and three models of operation as held by NIST, these are:

Definition:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Models of Operation:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Now, I am pretty sure that during my long career, I have seen a lot of companies doing IaaS and PaaS as a “Business as Usual” activity, haven’t you? In my experience, IaaS is nothing more than a traditional infrastructure outsourcing arrangement, as undertaken with IBM, HP/EDS or BT, while PaaS is just a simple hosting service offered by most ISP’s (I accept I am simplifying here). So what are we really talking about when the press pickup and pedal the term “cloud computing”. Looks to me like they are talking about SaaS, which again, has been around for a while, Hotmail anyone?, but not really taken off in the enterprise until it became “cloud computing”. So is this just a media spin to pedal Hotmail to the enterprise or just a natural progression from outsourcing boxes to apps? What is revolutionary here, I am yet to see.

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

Consider these examples:

1. From an effort perspective, the effort required to secure a system is significantly less than that required to exploit it.
2. From a cost perspective, it is less expensive to prevent a serious data breach than it is to clean up and recover from one.

Point 1 above was illustrated very clearly to me on the IISP’s TopGun event I attended recently, and is a scenario that you have to step back from to fully appreciate. Eg. If you have a smallish network, with most modern services such as web, email, mobile, databases, websites etc, then the effort to secure that is quite mammoth. You have to consider the perimeter, the information, how its stored and used, what services are on offer and the impacts etc. Then you have to consider every conceivable vulnerability, patching strategies and stay on top and at least up to speed with the curve of change. All of these efforts equate to a team of people, but all it takes to break in, is 1 person with a brain, motive, and a few freely available tools.

Point 2 of course, was illustrated very well by a study by the Pnemon Instutue LLC in conjunction with PGP and Vontu (Symantec), this study evaluated the true cost of a breach of data security and considered factors such as direct and indirect costs, and has trended the data over the last few years with enlightening results.

Despite both of these points clearly illustrating that the best way to tackle the security conundrum is head on and proactively, those of us in the industry will all surely testify that getting the right backing, funding, and often, even the right audience with the business, is still a hard task. From my perspective, I will keep on trying, and keep on flying the flag in the hope that one day reality sets in and my job / life gets easier!

Like

Unlike

                          

Related posts

• IISP Top Gun event, Manchester, 30 June 2008 (0)
• Anything that can be engineered by mankind….. (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)

The first thing I want to say on the subject is that Security is more of a state of mind than anything else. I have a saying, to be good in security you need to be sceptical with a healthy dose of paranoia! This point of view will serve you well when it comes to security as it will allow you to be objective and not accept things at face value. Secondly, you need an inquisitive nature and a thirst for knowledge, To be the best at security you simply need to be able to hunt out the truth and learn the latest concepts and techniques very quickly. Finally, you need to be a good generalist, I realise this point is contentious, but I truly believe that you need to have a good general grasp of everything technology related as well as your preferred specialism in order to cover the breadth of security. Of course you can be an expert in your chosen specialism, but you must have a grasp of how “everything” fits together in order to be good.

OK, so where do you begin? Well, for starters, you need to have a long hard think about what you want out of life. What I mean by this is, are you a “techy” or are you a “manager”? I realise you can be both (as I am), but when your starting out, the subject is so broad you need a direction to head. If your a techy,  then you probably heading down the threat, vulnerability and controls path, with topics such as ethical hacking, intrusion detection and firewalls on your learning list. if however, your more of a manager, your probably heading down the opposite path towards topics such as strategy, assurance and governance. Once you have figured this out, you can start to look at the material, courses and support networks available for each road to help you get going.

One important factor that should always be included however is your own personal growth and development. What I mean by this are the softer skills such as communication, empathy, leadership, coaching etc. All of these skills are fundamental to your success and should be developed in equal measure with your chosen subject specialisms. The biggest issues I face as an employer in this sector is finding good security people with excellent soft skills. Its too easy in this game to get trapped in a world of regulations or bits ‘n’ bytes, and forget that all your knowledge is pointless if you cannot make use of it and educate the world.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)
• PCI-DSS Is it dead? (0)

So what I hear you cry!

Well think of this, Cloud computing is here to stay and can yield some massive processing potential, but its still quite young and clouds tend to be privately owned and sold to the highest bidder. But what if we could all club together and build a cloud so big, so powerful it blew the Crays and IBMs of this world out of the water?

Again, I hear the crys of yeah right!

Well, ask yourself this, do I own a PS3? if the answer is yes, welcome to the “PSCloud”

The concept is simple, in a PS3 there is an IBM Cell Processor with 8 CPU cores, a very powerful CPU indeed! and guess what, IBM’s Roadrunner uses them too, yes, the Roadrunner has just short of 13,000 Cell Processors in it, of course it has quite a few AMD’s as well (6.4K), but the cells are the bulk of it.

So lets look at the facts, the same basic architecture used for the supercomputer market is in our homes, and cloud computing is here to stay, well I’m no rocket scientist but I reckon if we put these two concepts together, Roadrunner and Jaguar have a problem on their hands.

As of November 2008, over 16 million PS3’s have been sold around the world, of which we can assume by the design and nature of the unit, that nearly all of them are connected to the internet, so if we were able to join them into a single cloud, what sort of processing power could we achieve?

I ask you this….. If 13,000 Cells and 6K AMD’s get you 1.6 Petaflops, what would 16million Cells get you?

All we need to make this happen is a software/firmware update to turn the PS3 into a cloud member and a peer based command and control mechanism, any programmers out there?

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Anything that can be engineered by mankind….. (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Its a simple mantra, but one that has served me well in security.

Think of of this way, it doesn’t matter how intelligent you are, someone, somewhere is more intelligent! When it comes to security this is never more true. As we all know, security is asymmetric, in so much that the effort required to secure something is significantly more than that required to break into it. Given this point, it makes the mantra even more relevant! If security was symetrical, you would have a 1:1 effort relationship, however, as its not, (we will for the purposes of this article assume its 2:1, i.e. double the effort required to secure), it would theoretically take less brain power than it took to create the control to break it.

Obviously I accept that this is a very simplistic representation of the point, but one I think is valid.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Which Penetration Testing Qualification is best from a Testing perspective:
Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

(NB: I have deliberately excluded “accreditation schemes” such as CREST and CHECK)

Like

Unlike

                          

Related posts

• Black, White or Grey? What colour hat do you wear? (0)
• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Lets start with the TCP/IP stack. There are a number of quick easy wins here that can help defend against attacks through making the default behaviours of the stack more in-line with what we would like:

echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/lo/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/lo/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "15" > /proc/sys/net/ipv4/ipfrag_time
echo "2048" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries

Now, that little lot above needs some caveats. Firstly, use at your own risk! Secondly, As per usual, you often get a small performance hit when you start getting more secure, so test each tweak fully before you go into production. Once your happy with the ones you like, add then to your /etc/rc.local or other start up file of your choice.

The next step is to use iptables to help deal with dodgy looking traffic.

Step 1, set-up a bunch of new chains:

$IPTABLES -N CHECK_FLAGS
$IPTABLES -N ALLOW_ICMP
$IPTABLES -N SRC_EGRESS
$IPTABLES -N DST_EGRESS

Step 2, now lets get those chains to do something useful:

$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type destination-unreachable
        -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
 
        for SRCNET in $EGRESS_NETS; do
                $IPTABLES -A SRC_EGRESS -s $SRCNET -j DROP
        done
 
        for DSTNET in $EGRESS_NETS; do
                $IPTABLES -A DST_EGRESS -d $DSTNET -j DROP
        done

Step 3, Apply the prior two steps to your input, forward and output chains as needed:

$IPTABLES -A $CHAIN -i $EXT_INT -j SRC_EGRESS
$IPTABLES -A $CHAIN -i $EXT_INT -j DST_EGRESS
$IPTABLES -A $CHAIN -i $EXT_INT -p icmp -j ALLOW_ICMP
$IPTABLES -A $CHAIN -i $EXT_INT -p tcp -j CHECK_FLAGS

Variables. In all of the above, variables are used to save typing!, here are some of the important variables, the rest are fairly self explanatory:

EGRESS_NETS="
        172.16.0.0/12
        224.0.0.0/4
        240.0.0.0/5
        14.0.0.0/8
        169.254.0.0/16
        172.16.0.0/12
        192.0.2.0/24
        192.88.99.0/24
        192.18.0.0/15
        0.0.0.0/8
        "

What we have just done is setup some new chains, apply some filters that can identify dodgy looking traffic and do something useful with it (limit it rather than drop it, as we don’t want to arouse suspicion with our attackers). Then apply all that nice Packet Mangling to each of our primary chains.

I provide all of this advice for free, with no guarantees, any use of the above code should be with full testing prior to its use in a production environment. Enjoy!

Like

Unlike

                          

Related posts

• Snort Rocks! (2)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

lets put it into perspective. First of all, you have to accept that open source software is your friend, then accept that just because it doesn’t have a “GUI” doesn’t mean its any more complex. Ok, now that you have accepted an alternate reality, it is time to look at some comparisons. Lets look at some good, typically expensive security controls, typically, usually reserved for Banks, because “they have the budget for it”.

We will start with IDS “Intrusion Detection System”, specifically, the network variety (NIDS), deployed across the infrastructure, and designed to spot malicious traffic flowing across your network and highlight suspicious activity that may be happening under the radar. If you were to buy one of the very excellent and very expensive commercial solutions, on a medium size network, you could be spending 6 figures before breakfast. That’s a serious hole in a security budget, so what other options exist? Well, for a start, “snort” an open source, well maintained and mature project that’s been around for years. Its 100% free, and will only cost you the physical hardware and some administrative overhead getting it up and running. Its very scalable, equally configurable and its signatures are maintained by a community of experts in the field. What more could you ask for? Ok, so the reality is, in our scenario of 6 figures for the commercial solution, the free one would likely cost you 10-20K in hardware and specialist labour, but whats 20K compared to £200,000K, I know which one I would prefer to sign off.

Next, lets look at another hot topic, SIMS “Security Information Management Solution”. This is another typically large investment to essentially, analyse logs generated by the infrastructure. Again, the concept has been available in open source for years. Syslog servers shipping logs to each other with some sort of Perl analysis scripting has been around forever, and again, its just the labour and hardware costs to consider.

What about Firewalls? The staple diet of all organisations of any size. Now, these can be quite cheap or ridiculously expensive. I have built, deployed and managed most of the top end ones, and can after a career of using them, I can happily say, I would deploy a well configured “iptables” firewall in Linux over a Cisco or Checkpoint any day of the week. Ok, so you don’t get the nice gui with all your 200 firewalls in, but, there are options…. Gui’s exist, and again, a specialist can easily make this whole concept easily manageable for any organisation. Now, if a key control for limiting the impact of a hack is through network segregation, then the ability to deploy low cost firewalls can only improve the overall security of the network

So, if I had a 1000 user network to protect, a budget of 500K and full autonomy. I would spend 100K on every open source solution available, home grow some of my own, contract a team of top class Linux / security gurus to get it all up and running, then sit back in my SOC “Security Operations Centre” and wait for the siren to go off! Of course, I would take the other 400K as my bonus

Like

Unlike

                          

Related posts

• Snort Rocks! (2)
• Linux Defence Tweaks (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

C|EH (Certified Ethical Hacker). Anyone who has been in that area of work for a number of years will state that the C|EH is rubbish, and, of course, they are right. Having done the qualification, I can vouch for the fact that it is a tools based approach to hacking, with a heavy slant towards using windows as your attacking platform (which is wrong for so many reasons). It does however, give you the basics, and teaches you about basic methodologies etc. …..So, you might ask, why do I say I am a C|EH, if I know its pointless? Simple. To a purist hacker, its a waste of time, but commercially it has value as it is recognised by clients and companies alike as the de facto standard for hacking. This difference in perception is a prime example of how a qualification can bring credibility with the audience you want. All of my team are C|EH, because, when I write a proposal for a client, I can say, all my team are “Certified Ethical Hackers”. They of course understand this and as a bonus, the first two words add a level of “comfort” to what sounds like a venture into the dark side!

Now, let’s look at another qualification (CISSP) “Certified Information Systems Security Professional”. This is about the best baseline security qualification in play today. It is very broad in it’s syllabus and well maintained through its CPE “Continual Professional Education” requirement. This qualification really does work on both sides of the fence. Clients like it and so do the professionals What it doesn’t do is guarantee that the holder of the qualification is a deep specialist in a given area, but what it does very well, is mandate a baseline of knowledge with real width in the subject of security.

Here are my views on how they pin together:

Some example credentials that mean something to your peers:

• GIAC’s (Any of them!)
• CITP
• OSCP

Some example credentials That mean something to your clients or employers:

• ITiL
• PRINCE2
• C|EH
• CCNA

Some example credentials that mean something to everyone:

• CISSP
• CCNP

This is not the most exhaustive list, but is a start. The underlying piece of advice here is, when your picking a credential to study for and invest in, think how it will add value to you and your situation, and see if there is a better option available. Knowledge can be learned for free, credentials have to be bought!

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

I can definatley say its come a long way. It was much easier to install, and only took a small amount of syntax debugging to figure out the configs. During my research / re-learning curve though it would seem that version 2.8 with the stream5 processor is not as good as version 2.4 with the flow processor at detecting portscans. This was certainley the concensus of the community, and after a bit of playing I can agree. However, I now have sfPortscan running with stream5 and its seems pretty accurate to me, so I am certainly happy with the results.

BASE is also a welcome move onwards from what used to be a very clunky interface. It seems light and intuitive, with decent features. I think it could do with the addition of some basic graphs, rather than having to use the graph engine to define your graphs each time, but on the whole i think it is certainly a good alternative to spending a large amount of money on a commercial product. Certainly the ability to abstract the managemnet interface, data storage and sensors from each other gives you a highly scaleable model to use a basis for a large scale deployment.

Of course, if you don’t fancy the pain of compiling code from scratch, or your just dam lazy, check out EasyIDS for a complete “IDS in a box” that gives you everything I just said with none of the hastle!

….You just can’t ingore the momentum that opensource has gained

Like

Unlike

                          

Related posts

• Linux Defence Tweaks (0)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Ok, so the basic concept is simple, setup three primary work streams or “functions”, 1 is a Risk Asssesment and Classifcation Function, 2 is a People / Process/ Awareness, and 3 is Controls, both protective and detective as needed.

The idea is that the risk assessment process runs in a cycle with inputs and outputs at the core of the system which serves as the engine for security. Its easier to explain in a diagram, take a look:

Genious or Madness, its your decision, I like it because its simple and can be applied to any situation. Of course I agree with arguments such as “where is the governance?”, “what about strategy” etc, but quite simply, thats not what this is. This is a simple security process that allows you to feed information in and get solutions out.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

PCI on the other hand has a few cards left to play, first we see the move from 1.1 to 1.2, and although the content is still uncertain, it is likley to include calrifications of “what they actually meant” and additions. Aside from the revisions now and future to the PCI-DSS, PA-DSS, and other relevant standards are likeley to appear to help ensure that those organisations we entrust with our data, do the minimum to keep hold of it.

of course, we have seen some clarifications and “movement” on the existing standard, as well as finally, some teeth being displayed by the PCI through fines.

In my view, PCI is by no means dead, or even old news, its just part of the legislative landscape that is a part of business today, not to be ignored.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

As I mentioned in the opening CEO article, the inaugural Top Gun event in Manchester was a great success on many fronts.  We had 20 participants, organised into the Red and Blue teams, plus 5 members of the Control Team, and the day just seemed to fly past, so intense was the concentration, interaction, ingenuity and fun.

We cannot give too much away as to the content of the case study or the processes we followed on the day, for fear that we might spoil some of the element of surprise for participants in future events.  Suffice to say that those who were there threw themselves into the exercise and, accordingly got the most out of it, as well as proposing a few additional suggestions for developing and improving it for future players.

Let us however, convey the particular views of a member of one of the teams, and let them tell you what they thought of the event.

“TopGun, The Blue View. (Jay Abbott, PwC)

I have to admit, I was genuinely sceptical about the TopGun event as the idea of playing the Security equivalent of Battleships during one of my busiest times of the year was not one that featured far up the “to do” list, that said, I am genuinely pleased that I made the time to attend. We arrived with very little information about what was planned, and were immediately split into two teams, Red and Blue, The Red were of course the attackers, and Blue were the defenders and the teams split had been pre-planned by the organisers to ensure that a good cross section of skills rested in each team to keep things fair.

The remit was simple, we each were given suitable pieces of a puzzle, i.e. some deliberately sketchy information related to the organisation, typical of that you would find on your first day of work or your first information gathering exercise. From there it was a case of building a better picture of what you have and figuring out the best way forward (sound familiar?). At this point, the teams were physically split and departed into adjacent “war rooms” to prepare their respective strategies. We each could communicate with our “control” staff, who acted as the coordination of the event and holders of information. The co-ordination role was pivotal in the success of the event as they were able to coordinate the virtual attack and defence strategies in real-time to keep the feeling of real-life and to ensure that the game was fair.

From a blue perspective it was business as usual, we had a budget and an environment to protect, we had to evaluate the skills in our team, establish specialism’s that could work in key streams, and run the entire thing like a project.

All in all it was a very worthwhile day that created a great deal of discussion and provoked much debate. What I personally took from the day was something that I see all too often, but is perhaps not as obvious to all, to quote Paul Dorey on the day it is summed up in the phrase “Security is Asymmetric”. Put simply this is the fact that someone attacking an organisation need only find one hole or vulnerability in order to succeed, while those protecting the organisation must try to plug every hole and mitigate every vulnerability to be secure.”

Event wrap-up discussion and lessons learnt – great work everyone!

The participants captured their comments on an evaluation form and we are reviewing and acting on those comments.  They also scored the event out of a scale of 1 to 5, and rated the event at 4.3 overall, but with specific scores of 4.5 for facilitation and presentation, and 4.6 for opportunity to discuss and exchange ideas.  A great success by any measure.

Thanks to all involved, and to PwC, our hosts for the day.

Courtesy of the Institute for Information Security Professionals

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

…..you put your file in a safe, I crack into the safe.

………you put your file in a safe, and lock the safe in a strong/secure room, I crack the room then the safe.

………..You put the file in the safe, in the room, at the bottom of the ocean, I go elsehere to get a different file!

People often talk to me about controls, and want to know which one is best. The answer typically is either all, none, or both. The more layers you have, the more security you have. But lest we foget the basics, understand the cost of the control vs the cost of the asset through a formal Risk Assessment Process.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)