Thursday, February 25, 2010

The Dynamic Threat Vectors

The new threat vectors that we are facing in security are not really new, but are updates of old attacks that have be around for years. I consider myself relatively new to the scene, less then 7 years and most of that is from a help desk or academic background, but even I can see that this is not something new.

Recently I sat in on a SANS APT Webcast that was presented by Nitrosecurity. While some of the information was good, the rest of it was a disappointment because the presenters failed to understand what APT really is. I believe that TaoSecurity does a good job explaining it here and here. Yet we are still led to believe that the attack on Google is a new thing.

The scary thing about all this is that we live in a world where InfoSecurity is determined by arbitrary risk thresh-holds, and proven ROI. The reality is if a corporation is truly secured then you will never know how many attacks you prevented, but the truth is if a corporation is truly secured then they have not verified their logs and all of their assets.

Now comes the question on how do we defend against APT. This is not something that you can wave a magic wand and find the perfect solution in a vendor product to protect yourself. The defense against APT is a bastion of layered defenses that when used together form a solid defense. Analyst must be trained, not just in technology and response techniques, but in how the network behaves, what is expected traffic on the network and what is known vulnerabilities within the network. An analyst must be willing to trust their instinct about network activity and they must have proper escalation procedures in place in case of an attack. Management then must be willing to react, contain, adapt and mitigate on the fly to defend their network. But in doing that we should not compromise the integrity of the data that can be gathered from the attack in hopes to mitigate further attacks from our threat vectors.

Ofcourse our defense against APT should also be our foundation for all of our incidents. If an analyst does not know the network, does not understand the network traffic, and can not make the judgement call that something is not right then regardless the expenses we through into security vendors products our networks will never be secured.

Tuesday, February 23, 2010

ISACA Security Fail

You would think that an organization that prides itself training the next generation of Security specialist, auditors and risk management personal would actually take a few notes in their training to utilize what they preach?

Recently lbhuston had all of his contact and account information purged from the ISACA.ORG site. Was this because it was hacked? There was a disagreement in training material? General Fallout in personal relationships? No it was none other then ISACA.ORG's position to send passwords via a plain text message. There mitigation procedure is to ignore the gaping security hole and wait until they release a new site!!

Yes, thats right the organization that works to set standards and train the future of the InfoSec community, see's nothing wrong with waiting to fix a glaring security hole, until they release their new site.

You can read more of this and lbhuston's comments on this on his blog.


My name is Ken, and I am an Information Security Analyst for a large financial institution. I have been involved with IT for the last 7 years, starting with help desk support and slowly moving into IT Security. I graduated with a BS in Information Systems Security from ITT-Tech in 2007, looking to pursue my masters in Information Assuruance with an emphisis in Digital Forensics and Cryptography in the near future.

My current responsibilities is permiter security, vulnerability/patch research, and alert watching through our SIEM. Sprinkle a little bit of Sharepoint support, java scripts, VB Application Development, Perl scripting, and learning everything I can in InfoSec and Forensics.

Before IT I was doing Lighting and Sound at a theatre. When they decided to shut down for a year I decided it was time to go back to school, started with an idea to go into programming, until I took my first C+ class, that semester I also had my first introduction with linux, realized that programming was not my forte and that I enjoyed learning what he did with linux.

I have a solid understanding of where I want to be in the next 5 years in my professional development, although I do have the tendencies to procrastinate. I have learned recently that in order to make my future what I want it to be, then I must make tactical decisions to position myself for future growth and development, without those tactical decisions my future will be nothing more then an unattainable possibility.

Outside of work, I try to spend my down time with my family and friends. This includes weekend board games, Xbox Games, Role Playing Games, or just getting away for dinner and time alone with my wonderful wife. On the rare occassion I will actually pick up something and start or try and finish reading it. 

My Current reading list includes:
   Extrusion Detection (Bejtlich)
   Tao Security (Bejtlich)
   Intrusion Signature & Analysis (Sans)
   Learning Perl (Schwartz)