Archive for August, 2012

Aug 28 2012

Network Security Podcast, Episode 286

Published by under Podcast

We shouldn’t let Rich take care of the show notes.  Sometimes he simply reuses last week’s show notes and forgets to change the flavor text at all.  In which case we give him a hard time.  After short break, the whole gang is together again this week, though Rich let it drop that this streak won’t continue, as he’s on the road again next week.  And Martin is going to be in Seattle when this episode drops, which is why it was actually recorded on Monday afternoon instead of Tuesday, like normal.  Find something within a standard deviation of ‘normal’ is a little hard though, something we all admit.

Network Security Podcast, Episode 286, August 28, 2012

Time: 37: 58

Show notes:

One response so far

Aug 26 2012

Put up or shut up: Lead with action, not words

Published by under General

Oracle CSO, Mary Ann Davidson, says information sharing isn’t happening based on her experience as CSO and President of an IT Information Sharing and Analysis Center (IT-ISAC) chapter.  I think someone who says information sharing isn’t going on is looking in the wrong places and has her head stuck in the sand.  Her conclusions are probably accurate from her point of view; she’s not seeing much information sharing from Oracle or IT-ISAC, so it must not be going on.  But I think her viewpoint is myopic.

From my point of view, there is a lot of information sharing going on out there. This week I was at the bi-weekly Advanced Cyber Security Center (ACSC) meeting in Boston, MA.  Over the summer I spent a week in Malta at the annual Forum of Incident Response and Security Teams (FIRST).  I’ve been to over a dozen conventions this year alone and spoken to hundreds of security professionals of every level.  There’s also thousands of people in security who spend time every day interacting on Twitter and other social networks, building relationships with people who share their passion for security, sharing information .

Then there are all the information sharing efforts I’m not involved in but probably should be.  Things like the Dragon Research Group, the Shadow Server Foundation, the SANS Internet Storm Center, Emerging Threats, as well as a host of others.  These efforts are led by volunteers who like to dig deep into some of the dark corners of the Internet and share with others what they’ve found.  Some of it’s supported by businesses, but the majority of the effort is led by people who are passionate about security and want to share what they’re finding for everyone’s benefit.

There’s also a lot of intelligence being shared by the industry in the form of monthly, quarterly and annual reports.  My personal favorite is the Data Breach Investigation Report (DBIR) provided every year by the folks at Verizon. The reports that come from Symantec, McAfee, Prolexic, Dell and Arbor, just to name a few, also add to the breadth of knowledge we have available.  I’ve even been contributing to the Security section of the Akamai State of the Internet Report the last few quarters myself.  And there’s more industry blogs than you can shake a stick at if you care to spend, oh, maybe 30 seconds in your favorite search engine.

My point is, there’s a lot of information sharing going on, it’s just not neatly packaged up in a way that a senior manager can easily say, “Here are the specific actions my corporation should take based on this data”.  It takes work to review the sources and synthesize the information into something that could legitimately be called knowledge.  So far, the ACSC is the organization that works the best for sharing directed information, but that is in large part because the group is limited in scope (New England area organizations only) and because it meets every other week for face time and information sharing.  It takes trust, which generally is something that you’re only going to earn over time by consistently being available and being trustworthy yourself.  Trust is something that’s gained one person at a time, not just because you’re part of a big company or you think you’re a big name in the industry.  Meeting once a quarter or just using forums and mailing lists isn’t going to earn much trust, nor is admonishing people for not sharing.

If you want to further information sharing in the security industry, businesses need begin by sharing a little of what they’re seeing themselves, not expect everyone else to come to them with information.  Oracle has a horrible reputation when it comes to sharing security information.  When was the last time anyone saw a real, valuable announcement about a vulnerability in an Oracle product before it was a zero day or the researcher ran out of patience after waiting two years to publish his or her findings?  What information is Oracle publishing that’s valuable to the industry or talked about as a resource everyone just *has* to read?  Rather than implying I’m a bad Internet citizen by telling me I should share more information, show me how it’s done.  Come to the table with something of value, show me how to contribute in return, give me an example I’ll want to follow, rather than whining because I didn’t give you something first.  Lead me by showing me how it’s done, not by telling me I need to do a better job of it myself!

One of the points where I think Mary Ann Davidson is dead wrong is in being condescending about concerns for personal privacy in information sharing.  If we have learned anything, it’s that properly anonymizing data is HARD.  Remember when AOL released search data to researchers in 2006, it was quickly proven that it was relatively easy to take the data and link it to people in the real world.  If we’re asking for that level of information sharing between companies and government, we need to be absolutely certain we’ve taken as much care as possible to protect individuals, and only reveal their information when it’s actually needed as part of the threat intelligence. Which I’d say is probably only 1 case in 10,000 or more, since the majority of traffic from individuals has no bearing on security.  Maybe Mary Ann is willing to hand over her information to every information sharing entity and the entities they interact with, but I’m not.  Besides which, I’d be willing to bet that personal privacy is only a stalking horse for most businesses, they’re really more concerned with sharing their company’s private information than the private information of their customers.

Rather than complain that we’re not sharing enough as an industry, we need to work on sharing information about attacks, attackers and malicious traffic in a safe and sane manner.  This doesn’t mean just sharing traffic captures, which 99% of management professionals wouldn’t understand anyway.  It means identifying threat actors, doing what we can to create positive attribution and sharing that data with other companies and the government.  This doesn’t just mean the stuff that goes on behind closed doors, it means creating more reports that show real statistics and contain valuable analysis for the industry as a whole.  Give me tools that I can use to help make informed decisions about securing my corporation and I might just surprise you by reciprocating.

One response so far

Aug 14 2012

Network Security Podcast, Episode 285

Published by under Podcast

This week we’re joined by Adrian Lane (Rich’s coworker, but it was Martin’s idea) to give us some more insight on his latest WAF research. The WAF situation is actually a lot more nuanced than the “sucks/wins” arguments we usually hear. And, as usual, we also discuss the latest security news (without Zach, who has a “job” that takes his “time” or something like that).

Network Security Podcast, Episode 285, August 14, 2012

Time: 41:16

Show notes:

One response so far

Aug 07 2012

Network Security Podcast, Episode 284

Published by under Podcast

Martin has decided to give Zach and Rich the week off, since he’s on the road and won’t be able to record a proper show this week.  Or he had a couple of interviews he did at Black Hat that needed to get out and didn’t feel like releasing as microcasts.  Take your pick.  Bryan Sartin and Sean McGurk are first, talking about Verizon’s Data Breach Investigation Report and the scary reality of our SCADA systems, followed by John Howie from the Cloud Security Alliance who talks about what the CSA does and why.  We’ll be back to a normal podcast next week.  Or at least as normal as possible.

Network Security Podcast, Episode 284, August 7, 2012

Time: 32:34

 

Tonight’s music:  Absentee by John Statz

No responses yet

Aug 01 2012

Network Security Podcast, Episode 283

Published by under Hacking,Podcast

The yearly pilgrimage to Las Vegas for BlackHat/DEFCON/B-Sides is over, and recovery mode is in full effect – and none of us got arrested/detained/married in Vegas (at least we don’t think…).  Completely Martin’s fault this week’s podcast was released late.  Sometimes a nap turns into a full night’s sleep after a week in Vegas.

Network Security Podcast, Episode 283, July 31, 2012

Time: 41:01

Show notes:

No responses yet