The Security Catalyst

Please join me in welcoming Joe Knape as a contributor to the catalyst community. I have known Joe for 6 years now, and during that time have learned much and enjoyed many conversations with him. And now you’ll have the benefit of reading (and sometimes hearing) his ideas.

About Joe Knape
Joe has been providing information security expertise to clients ranging from sole proprietors to Fortune 500 companies for over 15 years. A long-standing industry veteran, he directs his clients toward a safer computing environment by helping them leverage their existing infrastructure and marrying it to the people, processes, and technologies that are most appropriate for them, based on their goals, objectives, and requirements. Mr Knape’s drive to use existing assets more efficiently and to “do more with less” allows his clients to reduce risk and minimize their threat profile regardless of group size, budget restrictions, or other constraints.

Mr. Knape’s professional background includes information security planning and policy development, managing security assessment and penetration teams, software development and reverse-engineering.

He is a contributing author to Firewalls: The Complete Reference, and has provided pre-publication review for a number of security and technology books, including Security Architecture: Design, Deployment and Operations and Tim Maher’s Minimal Perl. Mr. Knape participated in the development of the Certified Wireless Security Professional certification and is designated as a Certified Information Systems Security Professional (CISSP).

In this episode, we explore how we can effectively partner with the FBI to share information in the form of a CONVERSATION where everyone who participates gains. I lay out three steps that I think we should discuss to improve this process. I look forward to your feedback.

Sites to See

http://www.changethis.com/

Some of the recent manifestos that I have read and enjoyed:

http://www.changethis.com/19.CreativeGeneralist

Actually, there are many on the list, and while reviewing the site again today, I downloaded and printed a few off. Many good things here to read and consider. Heck, we should consider submitting Security 2.0. Anyone want to write with me?
News Articles About the FBI Announcement

Cybercrime High On FBI Priority List; Help Wanted

FBI: Companies Need to Report Cyber Attacks

As you know, I am a strong supporter of the FBI and have suggested three ways that we all need to work together to make a difference.

1- We need to bring together academic, private and public sectors and begin a real dialogue about how to measure the effectiveness of security. We have enough brain power and models available. The time has come to advance real solutions. When we have a better model, we can work to share more information.

2- We need a taxonomy. We need an “open-source” style taxonomy that covers the breadth and depth of knowledge and experiences that we would need to cover. As we launch the community, I hope to advance this. I look forward to your help.

3 -We need a way to mutually share information. I listed out a variety of ways and will be testing one in my local infragard in the coming months. Stay tuned!

Updated Note: The episode doesn’t seem to be including in the feed. I’m trying to figure out why and should have it fixed tonight or tomorrow morning.

 

 SC37 [24:32m]: Play Now | Play in Popup | Download

I know some of you don’t care to ever meet me in person, which is cool (even though I shower daily!). For those of you who do, I am heading to Denver this evening and will be there until Wednesday afternoon.

On Wednesday, I’m heading out to Seattle to work with a new client and talk to some others.

In both cities, I’ll have some time for an impromptu happy hour or gathering - so if you’d like to meet me in person, drop me an email: securitycatalyst [at] gmail [dot] com.

Also, I was toying with the idea of providing a free lunch and learn session in each city (Wednesday for Denver and Friday for Seattle). If you have a company that might benefit and could pull it together on short notice, you’ll get a chance to work with me if we can make our schedules match. See Security 2.0 in action!

Well, safe travels, and hopefully a podcast this week!

As I continue to explain and expand Security 2.0 through coaching, consulting and training/speaking, I have been stressing the need for businesses to take a multi-disciplinary approach to the way we practice security. While this approach is central to who I am, I have also started spending more time studying other areas (design, drawing, photography, adult learning, psychology, etc.) in an effort to seek new ways to improve what we do.
I was truly delighted to read this posting from Jeff Cornwall, Director of the Belmont University Center for Entrepreneurship, discussing this very approach being applied in a way to break down the silos in corporate america. You can read the post here: http://forum.belmont.edu/cornwall/archives/005961.html

As I continue to practice Security 2.0 through our Effective Assurance offering, I have the opportunity to engage corporations in this very discussion. In short, the time has come to stop thinking about security as a silo - which is as important for those of us in security as it is for the business. If we desire to be more effective and truly make a difference, then the time has come for us to go beyond and study marketing, sales, design, and other means of effective communication.

I enjoyed this conversation just today - and those in my course (experience) shared a conversation about the need to be able to relate security to more people by (1) understanding your audience and (2) being able to relate to others, sometimes through the use of scenarios/stories. Both of these are worthy of more in-depth postings, and I will endeavor to do such in the coming weeks. For now, I’ll outline some brief thoughts
Understand Your Audience
Many of us in the technology industry get so comfortable with the technology that we sometimes forget that other people don’t share our passion or knowledge. If you want to help break down the silos, then we need to communicate more effectively by knowing our audience. Does your audience prefer facts, figures and statistics? Do they want background, or only the punchline? And are you answering their questions, or satisfying your own needs?

To be highly effective, it is important to understand how to present your message in a way that your audience will more readily receive it.
The Power of the Story
I am a believer in the power of the story - especially when it comes to explaining security. Stories allow us the opportunity to relate to others key concepts in a manner than can be readily understood. Try it today - if you have to explain a concept, explain it by telling a short story. I find it’s best to be honest and maybe even reveal something about yourself in the process, since we all have the “human experience” in common.

I’ll keep expanding on these concepts - but the key for today is to start applying some of these concepts. Look at what you are doing from a different perspective, think about how you present differently and start practicing the art of explaining what we do through stories.

As we slowly build the community of trusted catalysts (and I am pleased with the growth of that grouping), we have been experimenting with and trying to seed the catalyst community. I had hoped to declare that “open” this past weekend, but it just didn’t “feel right” to me, so I have decided to hold off.

I’m in the midst of an insane travel schedule (that’ll last the bulk of the month); the upside is that I am spending a lot of time explaining Security 2.0 and working with some excellent clients to make a difference. That’s also giving me time to realize that the community needs to be well-designed and fill a need.

What do you want in a community? My vision is simple: create a supportive environment to nuture and improve the way we practice information security. The larger goal is to continue to explain and expand Security 2.0 and help relate security to more people.
To that end, I think we would be able to bring people together and share knowledge, ideas, ask questions and offer advice through the use of the following:

• wiki(s)
• forums (something along the lines of vbulletin)
• url/feed submission, tracking and ranking
• document repository

In addition, we have and will continue to support:

• email list(s)
• SILC chat server

As we continue to design a simple, but effective, community to serve our needs, I’d like to hear from you:

1. What are some online sites or communities that you think “got it right?”

2. Did I miss any features that you would like to see (and would enhance the way you share information)?

We will keep evaluating solutions and as soon as we find one, cobble a few together or otherwise figure something out, we’ll set it up, open it up and welcome you in. Ideas, insights and financial support welcomed (especially if we go with something more commercial in nature).

I’m amazed at the number of people who blindly sign contracts.  You don’t do that with your own blank checks, do you?

Still, here we go again.  The day before an important contract is to be signed (by my company), someone (wisely) decided it needed to have a quick “review by security.”  I shouldn’t complain, at least I was given a chance to see what we were getting into.  Normally, contracts are signed and I only find out about it when the software or service goes live.  Then it’s too late for any changes - and we often get stuck footing the bill for changes or cleaning up the mess.

For the record, I was asked to review a “standard” contract that came from the vendor providing a service to my company.  As expected, it was written by the vendor and strongly in their favor.  It’s amazing what others try to hide in a contract.  (We won’t talk about EULA’s here.)  I used this opportunity both as a learning experience and an educational opportunity (even for our lawyer).

Contracts are supposed to spell out the details of an agreement in a way clear to all parties.  So given the opportunity to review this document, I had a simple objective: create clarity of expectations out of ambiguity and ensure my company would not be liable for the vendor’s mistakes, defects, or deficiencies. 

In this case, my involvement helped us prevent some situations we would prefer to avaoid.  But this experience brought to mind a question:

Why is it important for information security to review contracts before they are signed? 

I fear that most people involved in contracts believe that the lawyers and “the business” have all of that covered.  Either that or many dislike ”legal mumbo-jumbo” and don’t take the time to review the contract.  I understand where those beliefs started - but time have changed and if we want to be successful, we also have to change.

Today’s Security 2.0 professional must be able to read, review, and provide comments on legal documents and contracts.  This does not mean that you need a legal degree or extensive knowledge of contracts.  It does mean that we need to move beyond IT. 

It’s all about protecting the business. We must be engaged in negotiating, interpreting, and managing contracts with the business.  Our unique knowledge and viewpoints allows us to spot legal issues that may be missed by others.   We need to knowledgably interact with legal council and those handling business contracts and offer educated suggestions.  Showing how we add value increases the likelihood of our continued involvement. It’s all about collaboration and working together to secure the infrastructure.

How do we reach this nirvana?  By reading and studying in areas outside of IT. The Security 2.0 professional grows outside of his/her IT comfort zone to better understand the inner-workings of the business.  When asked to review a contract, take your time, understand the legalese, ask questions when you don’t know something, and show you can add value to the process. 

To help, here are two resources that are impressive and useful: ChangeThis (http://www.changethis.com/) and the Personal MBA (http://www.personalmba.com/). They have many resources and articles to help you think outside the IT box. 

Michael Santarcangelo is developing these and other concepts of Security 2.0, so stay tuned.

By working together, we all become stronger.

by David Stern, CISSP
In the first part of this section, we introduced the need to consider a decision making framework. Now we’ll go through some real world examples to gain a better understanding of the process.

What is the vulnerability?

This question aims at gaining a broad situational awareness of the problem.  From Secunia advisory 22127:

“A vulnerability has been reported in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is due to an unspecified error when processing PowerPoint documents containing a malformed string. This can be exploited to corrupt system memory and may allow execution of arbitrary code when a malicious PowerPoint document is opened.”

I highlighted the key pieces above. Putting them together, we see that a successful attack will exploit PowerPoint, forcing it to run malicious code on your system. PowerPoint is a very popular application found on large numbers of corporate systems. The ability to execute arbitrary code makes this vulnerability a lot harder to deal with. While it may turn out to be nothing, for now, this vulnerability warrants further investigation.

What does it affect? We know PowerPoint is the target, but with most vulnerabilities, the combination of operating system and application version matter. In this case, the following are affected:

Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003

As a decision maker for your organization, you should have a general idea if you run one of these.

How is it delivered and how hard is it to deliver?

The vulnerability report states that the exploit involves “processing PowerPoint documents containing a malformed string.” Clearly, PowerPoint must open one of these bad files. If your organization emails around presentations, then the delivery method is clear. The report also states that “This vulnerability is reportedly being exploited in the wild.” An active exploit has been crafted is traveling the ether. A good percentage of reported vulnerabilities never evolve into coded exploits, so this added information should also elevate your interest level.

Does my organization use any of the affected systems?

My real world example of Code Red shows the importance of good asset management. The people in your organization responsible for desktop applications should definitively answer this question. If they can’t, this will be a great time to get that in order. Asset management is a critical piece of the risk management process. You certainly cannot manage risk that you don’t know exists.

Do I have any controls in place that would slow down or eliminate the effects of this vulnerability?

Here is where you really need to rise above the FUD. Lets presume that you have a vulnerable version of PowerPoint deployed. Your IT group will need to deploy a patch, but that won’t happen instantaneously. You know that PowerPoint must open a bad file to be exploited. So all you need to do is keep a bad file from getting into the organization as well as keep the users from opening it up if it does get in.

What do you have in your arsenal that you can use?

If you are a decision maker, then it’s probably not your job to delve into technical nuances here. At a high level, you can initiate at least 3 courses of action. First, check with your anti-virus vendor to determine if they have deployed a signature update that mitigates this issue at the desktop level. Second, check your email controls and see if you can block outsiders from sending PowerPoint files. This measure can be deployed temporarily if it impacts business processes. Once the patch is deployed, you can continue with this practice. Third, craft a company-wide communication that warns users to not open emails with PowerPoints attached.

As you can see, this process is fairly straightforward if you understand the terminology. If the answers to the questions indicated that you did not run PowerPoint, and your IT group validated this fact, then you would have no course of action. If you did run PowerPoint, but there was no exploit in the wild, then perhaps you could have just waited for the patch to be deployed. There are many possible branches on this tree, but by taking a high level, methodical, and FUD-less approach, you become an effective decision maker and an asset to your organization.

by David Stern, CISSP
In the last session we discussed the taxonomy and terminology of security vulnerability. Now that the language is not foreign, some of the FUD (fear, uncertainty, and doubt) should be gone. However, the daunting challenge of determining an appropriate response to a vulnerability alert or discovery still looms. Evaluating the real impact of a published vulnerability is not an exact science. There are just too many factors, many of which simply come from raw experience.

In this short series, we will discuss a basic process framework that can be used to lead a decision maker down the right path. By answering the following questions, one should be able to arrive at a proper course of action (It’s too bad that I don’t have a catchy acronym):

•    What is the vulnerability?
•    What does it affect?
•    How is it delivered and how hard is it to deliver?
•    Does my organization use any of the affected systems?
•    Do I have any controls in place that would slow down or eliminate the effects of this vulnerability?

With this information collected, you should have enough to make a rough evaluation of the risks at hand.

At first glance, the questions might seem out of order. “Wouldn’t it be more efficient to determine if my organization even uses the affected product? If they don’t, I can simply ignore this alert.” Well, not really.

On July 19, 2001 the Code Red worm began its massive global propagation campaign. At the time, I was working in corporate risk management for one of the largest banks in the world. Keep in mind that web based applications were just starting to come into popularity. When the alert came in, the organization did their risk analysis and triaged it to a low status since “they really didn’t use IIS much. Maybe a handful of installations. We are a WebSphere shop.” Right.

Within hours, the network was being hammered. When it was all over, thousands of man hours equating to millions of dollars were spent cleaning up. IIS was automatically installed with Windows 2000 and it was being tested by dozens of internal development groups. In fact, there were hundreds of instances of IIS running on PCs and on servers under desks.  The lesson here is simple. Do the 2 minute triage on every alert that comes with an elevated rating.

In our next posting, we will go through some real world examples to gain a better understanding of the process.

Join us for our fifth exciting episode of the Security Round Table. Our special guest (and now newest member) is Dan York from: Blue Box: The VoIP Security Podcast. In this episode, we look at the general overview of VoIP technologies and the security risks - as well as the myths.

Dan is a true expert and instructor on this topic - and school was definitely in for the SRT team!

Joining in on this episode:

Paul Asadorian | Pauldotcom Security Weekly
Martin McKeay | Network Security Podcast
Larry Pesce | Pauldotcom Security Weekly
Michael Santarcangelo | The Security Catalyst
Alan Shimel | SSAATY (Still Secure After All These Years)
Dan York | Blue Box: The VoIP Security Podcast

**Note - soon I you will only be able to get this podcast by subscribing to the SRT podcast ***

 

 SRT 5: Play Now | Play in Popup | Download