The Security Catalyst

Lately, it seems like the days are just flying by. As the different initiatives I have been focusing on are getting completed and being launched, I’m turning my time back to blogging, podcasting and working to help support organizations committed to changing the way people protect information (of course, the different solutions I’ve been developing are designed to make that a bit easier for everyone). Along those lines, if you live in or will happen to be in the Albany, NY area this coming Thursday, I wanted to let you know that I will be presenting a version of the Into the Breach keynote on Thursday. I’m really excited to have the opportunity start to share the research that has gone into creating Into the Breach and offer some simple tips to how you can prepare your organization and make a difference.

More details on the meeting are here: http://www.nysica.com/meetings.htm

Based on the request, I’m also going to discuss the approach and research that went into the Information Protect Assessment Toolkit (IPAT). It won’t be a sales pitch. Instead, I’m going to focus on why I created the IPAT and how you can apply the principles to your work. I have a few more “pending” speaking dates coming up, and I’ll try to post up information about the public dates so that you’ll be able to attend. If you want more information about the keynote and workshops, please send me an email at securitycatalyst@gmail.com. We can set a time to talk and explore if the keynote or workshop would be right for your organization and could help you engage people to change the way they protect information. I’m always up for a fun discussion - with no strings attached and no pressure. If you need someone to help, give me shout. You can also check out Into the Breach (sssshhhh, I’m going to tell you more about that tomorrow).

Baltimore
I’m planning to head to Baltimore on Thursday night to attend the CSO Breakfast Club on Friday morning. In fact, we’re planning an exciting announcement while we’re there for those who attend the events. You can learn all about the awesome CSO Breakfast club here: http://www.csobreakfastclub.com/.

I have some meetings planned for the afternoon, but I purposely booked a later flight back to Albany to have some time to catch up with a few friends. If you’re in the area and want to catch up, I’d love to hear from you. If you don’t mind venturing near the Airport, we can start the holiday weekend off in a happy way. I’m looking forward to being back in the area.

Keep making a difference!

While my recent business focus has kept me consumed, I have remained committed to participation in the Security Catalyst Community. In fact, now that we have launched the IPAT (more details and special offers to follow), I expect to start to slowly regain some time in my schedule. Last week, another member of the forum posted a “call to arms” message (link below) that raised some exciting and interesting points to start a discussion about how to effectively and ’smartly’ grow our community. I penned a brief response yesterday and have decided to move the conversation to a public area (for community members) and share my response here:

The goal of the community is to provide a dedicated and centralized resource that would meet the needs of the security community in general, and the many security bloggers and podcasters in specific. There is no monetary cost to join, but your currency is your participation inside or outside of the community. While growth is good, “smart” growth of quality conversations will enhance the value of the community.

The Value within the Forums
No bluffing when I tell you that I am amazed every time I read the value that is contained in the forums. We are at a place where you may not be able to keep up with every new post. This is good! We have a search function that works surprisingly well, and I use it all the time. The conversations continue to expand and improve. If you have questions, comments, solutions, ideas - this is the place to come and share. I find the more you engage, the deeper and more useful the connections you will develop and the more impact you will realize. This directly translates into making your job easier!

Becoming a Member
If you are not yet a member, please consider joining us today. There is no cost beyond your participation. PLEASE NOTE: we enforce our naming standard - and you will need to create an account using your real name in the format of Firstname.Lastname. We welcome you to the conversation and look forward to sharing with you and learning from you.

Recent Conversations of Interest
Here are some of the current conversations that I find interesting, exciting and waiting for you! In fact, I realized I have a few I need to go back and comment on. My pledge is to find one hour each week to engage. I learned a lot on my last spin through the forums!

Call to Arms

The ABSOLUTE First Step

how often should I get involved?

Password Policy

Non-search engine news sources

PCI DSS Compliance

How to jump start security awareness training?

Thoughts on Computer Forensics and magazines

How did you get your start? (I still owe mine. It’s in progress, I swear)

Gauging Security Awareness Effectiveness

Free, Fair Elections Worldwide — *** This is a personal favorite of mine, and I love seeing others get engaged on this one!!

Cisco ASA vs Juniper SSG 20

Fortinet and Modern Bill

Yoggie - Fact or Fiction - would you buy or recommend one?

SANS mentoring

In our (new) School Security Forums:

All-in-ones or Best of Breeds

Teachers taking laptops home for the summer

Wow, so it’s been a while since I really walked through the forums. There is a lot of information there, and a lot of opportunity for you to engage and contribute. See you there!!

According to many, user education is one of the best methods of ensuring adequate protection of your information assets.  It’s been eternally touted as one of the requirements of a viable information security program.  This article is not about that, though.  It’s about knowing your users/customers.  Yes, Mr. & Ms. Security Professional, your users are also your customers.  You are here to serve them; not vice-versa.

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  - 8% of Americans are deep users of the participatory Web and mobile applications;
  - Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  - 10% rely on mobile devices for voice, texting, or entertainment;
  - 10% use information gadgets, but find it a hassle;
  - 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

Information Protection Assessment Toolkit (IPAT)

I promised you a case study that demonstrates how the Information Protection Assessment Toolkit (IPAT) changes the way people protect information. In fact, I’m going to give you two case studies in one.

Harold Townley is a Funeral Director and business owner. He also sits on the board of the Town of Ballston. To prove the power of the IPAT, I ran town employees – including Harold – through the IPAT system earlier this year. The result was better protected information for the town and a new awareness about information protection in Harold’s business.

Like all municipalities, Ballston holds information that should not be in the public domain. While there had not been a security problem to date, with no plan in place to protect this information, it was a possibility. They needed the IPAT program.

In Week One I worked with a team of employees to identify what information was held in the organization, where it was held and how it was managed. The next four steps of IPAT involve processing what is learned, analyzing the results, developing an action plan and finally, generating reports. It was after only the first few steps that change was noticed. Involving all employees in IPAT “created an immediate shift in the mindset of town employees regarding information security” says Harold.

But for Harold, the change was extended further. He discovered that he wasn’t only thinking differently about information protection for the city – but for his business as well. At a meeting of funeral directors he encouraged participants to consider how they handle the personal data of deceased people. He wants his profession to consider carefully what is published in newspapers, how data is kept in the business and how requests for information are handled.

Harold doesn’t know that identity theft has occurred as a result of information provided by funeral homes but it is possible and he doesn’t want to be the source of a problem. “Just because we’ve done things one way in the past doesn’t mean we have to continue doing it that way,” he says. Thanks to IPAT, Harold looks at the information held by his funeral home differently. And the town of Ballston is well on its way to a proactive plan that engages all employees in information protection.

The Basics of IPAT
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It involves a set-up session, a toolkit and four coaching sessions. It can be scaled for large and small organizations, involves all employees and is the first step in protecting your organization from a breach.

Contact me (securitycatalyst@gmail.com) to learn more about our Special June Offer for the Information Protection Assessment Toolkit (IPAT).

I just posted this to the community, but for those of you who are not yet members (and really - why aren’t you part of a growing, positively focused security community?), I need some help. If you have experience with VoIP, especially with hosted-solutions for small business, read on.
As my company grows, it’s time to get a more professional and feature-capable telephone system. As we grow, we’re going to have people located in different parts of the country, so VoIP in a “virtual office” arrangement seems to be the best fit for price/performance. Currently, we have the need for two extensions, based in the same physical location. We’d like to have an attendant that would direct calls to the right places, roll incoming calls and even forward to cell phones, if needed. As we grow, we will have multiple extensions geographically disbursed, as well as some who are mobile.

I’m looking for some feedback and experience with different providers, hardware and solutions. I toyed with asterisk, but I want to focus on my business and not building and maintaining a solution. I want something that is simple, reliable and effective. If I sound like I’m on a tin-can, or like I’m max headroom, it won’t work.

Any ideas, experience, companies to consider, etc. are greatly appreciated!

Initial Needs

• Toll Free Number
• Single number presented for outbound calls
• Single number for inbound calls, automatically routed
• DID for specific people; non-extension
• Ability to send and receive fax communications
• Ability to transfer calls to cell phones
• Virtual Extension, with DID, for “friends and family”

Growth Considerations

• ability to add new extensions, independent of where someone is located and have them included in our system
• effective central management
• call detail reporting (then again,maybe I don’t really care)

Travel Considerations

• ability to travel with telephone and hook in through different networks (yeah, I understand potential risks)
• wireless options/considerations - for example, is there a wireless handset that could be used when I’m traveling?
• ability to bring system in RV and use on network powered by EVDO-RevA (for what it’s worth, I’m considering the Sonicwall TZ190 for the RV, and if that works, for the home network)

We are also interested in understanding

• quality and service guarantees
• equipment used and supported
• number portability
• security of network (then again, I feel like I have to ask, but I don’t ask Verizon that question today)

Additional Features of Interest

• voicemail saved as audio files and submitted to email
• ability to conduct conference calls
• ability to call into the system and then make outbound calls (allowing me to hide my cell phone, or to call Canada, etc.)

Potential Providers

• http://www.packet8.net/business_services/
• http://www.aptela.com/
• http://www.zingotel.com/online/en/business/ ** I understand this is a hardware solution I probably don’t want

Who else should we be considering? Feel free to hit me with an email: securitycatalyst@gmail.com

The thread is here if you care to comment: Small Business VoIP Solutions - hosted provider experience?

Thanks in advance for your ideas, insights and experiences…

This article is based on a talk I gave at the Phoenix OWASP chapter on May 10^th.My intention is to summarize the methods used to assess the security of web applications, identify what they are good and not so good at finding, and outline their varying strengths and weaknesses. If you’ll indulge me, I’d like to spend some time building up to that with some background material.

What’s the big deal, anyway?

I am very pleased about the about the growing awareness surrounding web application security threats. Several organizations have been formed to promote the issue, such as OWASP and the Web Application Security Consortium, and for good reason: it is currently the most prolific attack vector. In fact, Gartner estimates that 75% of all attacks now come at the application layer.

The reason why is no mystery. Whereas in the 90’s, system configuration, buffer overflow, and other platform level type flaws were all the rage, these have become increasingly easy to manage. Economies of scale have given ubiquity and commodity status to packet-filtering firewalls, multi-platform patch management systems, vulnerability scanners, and intrusion prevention systems. The kinds of attacks most often prevented by these technologies are now considered ‘low hanging fruit.

At the same time, the population of attackers has vastly increased. The maxim goes that a security system is only as strong as its weakest link, so that’s what attackers look for. Attacks have moved both up and down the stack. By this I mean, up to the application and even client level, and down to the system internals and driver level. Blue Pill, a virtual machine malware platform, is one such example that takes advantage of hardware features at the bottom level, while at the top level you have the world of web application attacks, where web applications are used as proxies to attack the integrity of the application as well as its architectural dependencies, and Javascript attacks, which are used to attack the softest target of all – the end user. At the Javascript / client attack level, state of the art is represented by PDP’s AttackAPI.

Custom web application security is different than platform security, to say the least. There are no vendor advisories or patches. Attackers like web applications because they have built in, exposed mechanisms that must have connectivity to the data the attacker is after. The attacker thinks, why compromise an entire system when you can manipulate the application into coughing up what you’re looking for? Most protection is at the network, not application layer, so the chances of getting caught are much lower. Application attacks are much harder to catch and prevent at the network layer, because the network components don’t understand the application, it’s logic, or which resources should be accessed and by which user roles. Web Application Firewalls (WAF) are an incomplete solution, often being network layer devices. The WEBAPPSEC mailing list has a great thread on this topic going on, right now. (See the May/June 2007 thread called “PCI 6.6 Questions) I’m not even certain WAF should be called a “firewall,” since they’re more of an Application layer Intrusion Prevention System, only they typically operate at the network layer, having no visibility into application internals. Fortify Defender is a notable exception. I’m starting to stray – this should probably be the subject of a future blog article…

As a result, it is incumbent upon organizations to understand the attackable surface area represented by web applications, particularly those that store and process confidential personal or payment card data.

Integrating Web Application Security Testing Approaches

One of the many hats I wear at QuietMove is to create our testing methodologies such that they maximize the efficiency and effectiveness of the time scoped for a particular assessment activity. I tackle this in two ways. One is by identifying the most comprehensive automated tools. I am a big proponent of automation – computers are good at automating things in a repeatable, measurable way. The second is in accounting for the fact that there are many classes of vulnerabilities which automated tools have serious trouble finding. This is partly a function of the perspective from which the tool operates, such as Source Code Analysis vs Fault Injection (more on this later), as well as the state of the art of each of these evolving technologies. Therefore, the second way recognizes that it’s critical we understand what automated tools can and can’t find, and develop other methods for identifying the “false negatives” – vulnerabilities that exist, but were missed.

The two main approaches that exist at present for web application testing are “Fault Injection” and “Source Code Analysis.” There are also two more philosophical approaches, “white box,” and “black box.” The results gained from a test are in no small way closely related to the assessment approach taken.

I’m going to define four terms that are key to this discussion:

White Box - a “full knowledge” approach to an assessment. This includes access to things like functional specifications and other design documents, network architecture, and source code.

Black Box – a “zero knowledge” approach to an assessment. The assessor starts off with no advance knowledge of the application. This is typically performed using automated fault injection tools, a web browser, and an HTTP proxy like Paros, Burp Proxy, or one of their many equivalents.

Fault Injection – interactive testing of a website that includes spidering, querying for known vulnerable scripts or components, testing for conditions like forceful browsing, directory traversal, and using the results of spidering to identify all points of user input to test for flaws like SQL injection, XSS, CSRF, command execution, etc. Typically a combination of fuzzing and injection of strings known to cause error conditions are used.

Static Code Analysis – is also often known as “Source Code Analysis.” This is often employs a mix of techniques such as searching for strings, identifying user input vectors, tracing the flow of data through the application, and mapping execution paths. Depending on the tool, it’s employed against source code or binaries.

Awareness is growing for a different technique often referred to as “Grey Box assessment,” which integrates the approaches described above. This approach combines static and fault injection testing techniques, in order to compensate for their different detection capabilities, and also integrates elements of white and black box methodologies. In practice, my observation is that the most comprehensive results are achieved through an iterative process involving an initial “white box” fault injection assessment, followed by static code analysis. The results of the static/source code analysis assessment are then fed back into further “fault injection” testing to validate the code analysis results and better inform the tester about the application architecture and areas to examine for further vulnerabilities using hands-on techniques. In my experience, this is the most comprehensive methodology, though for obvious reasons it’s also the most time consuming.

The following matrix was developed to present a high level view of the strengths and weaknesses of each approach. Suggestions for additional strengths and weaknesses would be welcomed.

The matrix view demonstrates some of the trade-offs at play: Detection capability, expense, and time. It visualizes a common theme of public talks I give about web application security, specifically how the testing methodology chosen impacts the results that will be achieved. It brings to mind the old engineering maxim. “Good, cheap, fast: Pick any two.” It demonstrates t

This is the first of several blog posts I’ll be posting at Security Catalyst about web application security testing. The next will be about several different approaches to planning test scenarios, and the relative strengths and weaknesses of each.