A big thanks to all the hackers and wannabees who have kept and continue to keep the Internet routing around censorship so that the people of Iran can get to twitter.
Posted in IKANHAZFIZMA | 
1 Comment »
Tags: infosharing • lolcats • security
Eh? What’s that mean? Developer Days is a weeklong conference where they get down into the weeds about the various SCAP schemas and how they fit into the overall program of security automation.
Highlights and new ideas:
Remedial Markup Language: Fledgeling schema to describe how to remediate a vulnerability. A fully automated security system would scan and then use the RML content to automagically fix the finding… say, changing a configuration setting or installing a patch. this would be much awesome if combined with the CVE/CWE so you have a vulnerability scanner that scans and fixes the problem. Also needs to be kept in a bottle because the operations guys will have a heartattack if we are doing this without any human intervention.
Computer Network Defense: There is a pretty good scenario slide deck on using SCAP to automate hardening, auditing, monitoring, and defense. The key from this deck is how the information flows using automation.
Common Control Identifier: This schema is basically a catalog of controls (800-53, 8500.2, PCI, SoX, etc) in XML. The awesomeness with this is that one control can contain a reference implementation for each technology and the checklist to validate it in XCCDF. At this point, I get all misty…
Open Checklist Interactive Language: This schema is to capture questionaires. Think managerial controls, operational controls, policy, and procedure captured in electronic format and fed into the regular mitigation and workflow tools that you use so that you can view “security of the enterprise at a glance” across technical and non-technical security.
Network Event Content Automation Protocol: This is just a concept floating around right now on using XML to describe and automate responses to attacks. If you’re familiar with ArcSight’s Common Event Format, this would be something similar but on steroids with workflow and a pony!
Attendance at developer days is limited, but thanks to all the “Powar of teh Intarwebs, you can go here and read the slides!
Posted in NIST, Technical | 3 Comments »
Tags: 800-53A • 8500.2 • catalogofcontrols • compatibility • compliance • fdcc • genius • government • infosec • infosharing • management • NIST • pci-dss • scalability • scap • security • seminar • tools
Rybolov’s Note: Hello all, I’m venturing into an open-ended series of blog posts aimed at starting conversation. Note that I’m not selling anything *yet* but ideas and maybe some points for discussion.
Let’s get this out there from the very beginning: I agree with Ranum that full-scale, nation-v/s-nation Cyberwar is not a reality. Not yet anyway, and hopefully it never will be. However, on a smaller scale with well-defined objectives, cyberwar is not only happening now, but it is also a natural progression over the past century.
Looking at where we’re coming from in the existing models and techniques for activities similar to cyberwar, it frames our present state very nicely :
Electronic Countermeasures. This has been happening for some time. The first recorded use of electronic countermeasures (ECM) was in 1905 when the Russians tried to jam radio signals of the Japananese fleet besieging Port Arthur. If you think about ECM as DOS based on radio, sonar, etc, then it seems like cyberwar is just an extension of the same denial of communications that we’ve been doing since communication was “invented”.
Modern Tactical Collection and Jamming. This is where Ranum’s point about spies and soldiers falls apart, mostly because we don’t have clandestine operators doing electronic collection at the tactical level–they’re doing both collection and “attack”. The typical battle flow goes something along the lines of scanning for items of interest, collecting on a specific target, then jamming once hostilities have begun. Doctrinally, collection is called Electronic Support and jamming is called Electronic Attack. What you can expect in a cyberwar is a period of reconnaissance and surveillance for an extended length of time followed by “direct action” during other “kinetic” hostilities.
Radio Station Jamming. This is a wonderful little world that most of you never knew existed. The Warsaw Pact used to jam Radio America and other sorts of fun propaganda that we would send at them. Apparently we’ve had some interesting radio jamming since the end of the Cold War, with China, Cuba, North Korea, and South Korea implicated in some degree or another.
Website Denial-of-Service. Since only old people listen to radio anymore and most news is on the Internet, so it makes sense to DOS news sites with an opposing viewpoint. This happens all the time, with attacks ranging from script kiddies doing ping floods to massive DOSBots and some kind of racketeering action… “You got a nice website, it would be pretty bad if nobody could see it.” Makes me wonder why the US hasn’t taken Al Jazeera off the Internet. Oh, that’s right, somebody already tried it. However, in my mind, jamming something like Al Jazeera is very comparable to jamming Voice of America.
Estonia and Gruzija DOS. These worked pretty well from a denial-of-communications standpoint, but only because of the size of the target. And so what if it did block the Internet, when it comes to military forces, it’s at best an annoyance, at most it will slow you down just enough. Going back to radio jamming, blocking out a signal only works when you have more network to throw at the target than the target has network to communicate with the other end. Believe it or not, there are calculators to determine this.
Given this evolution of communications denial, it’s not unthinkable that people wouldn’t be launching electronic attacks at each other via radar, radio, carrier pigeon, IP or any other way they can.
However, as in the previous precedents and more to some of the points of Ranum’s talk at DojoSec, electronic attacks by themselves only achieve limited objectives. Typically the most likely type of attack is to conduct a physical attack and use the electronic attack, whether it’s radio, radar, or IT assets, to delay the enemy’s response. This is why you have to take an electronic attack seriously if it’s being launched by a country which has a military capable of attacking you physically–it might be just a jamming attack, it might be a precursor to an invasion.
Bottom line here is this: if you use it for communication, it’s a target and has been for some time.
Posted in Technical, The Guerilla CISO, What Doesn't Work, What Works | 5 Comments »
Tags: cashcows • cybercommand • cybercorps • Cyberwar • government • infosec • infosharing • itsatrap • moneymoneymoney • pwnage • risk • security
Saturday, June 20, 2009 from 8:00 AM – 5:00 PM (ET) in downtown DC.
I’ll be going. This will be a “Bar Camp Stylie” event, where you’re not just an attendee, you’re also a volunteer to make it all happen. You might end up running a conversation on your favorite privacy topic, so you have been warned. =)
*Most* of the folks going are of the civil libertarian slant. With my background and where I work, I usually “bat for the other team on this issue”. The organizers have assured me that I’ll be welcome and can play the heretic role.
How to play:
Some themes that I’ve seen develop so far:
See Y’all there!
Posted in Public Policy, Speaking | No Comments »
Tags: collusion • datacentric • government • infosec • infosharing • law • legislation • privacy • publicpolicy • security • seminar • speaking • training
So how does the Guerilla-CISO staff communicate with the locals on jaunts to foreign lands such as Deleware, New Jersey, and Afghanistan? The answer is simple, we use interpreters, known in infantrese as “terps”. Yes, you might not trust them deep down inside because they harbor all kinds of loyalties so complex that you can spend the rest of your life figuring out, but you can’t do the job without them.
But in remembering how we used our interpreters, I’m reminded of some basic concepts that might be transferable to the IT security and risk management world. Or maybe not, at least kick back and enjoy the storytelling while it’s free. =)
Know When to Treat Them Like Mushrooms: And by that, we mean “keep them in the dark and feed them bullsh*t”. What really mean is to tell potentially adversarial people that you’re working with the least amount of information that they need to do their job in order to limit the frequency and impact of them doing something nasty. When you’re planning a patrol, the worst way to ruin your week is to tell the terps when you’re leaving and where you’re going. That way, they can call their Taliban friends when you’re not looking and they’ll have a surprise waiting for you. No, it won’t be a birthday cake. The way I would get a terp is that one would be assigned to me by our battalion staff and the night before the patrol I would tell the specific terp that we were leaving in the morning, give them a time that I would come by to check up on them, and that they would need to bring enough gear for 5 days. Before they got into my vehicles and we rolled away, I would look through their gear to make sure they didn’t have any kind of communications device (radio or telephone) to let their buddies know where we were at.
Fudge the Schedule to Minimize Project Risk: Terps–even the good ones–are notorious for being on “local time”, which for a patrol means one hour later than you told them you were leaving. The good part about this is that it’s way better than true local time, which has a margin of error of a week and a half. In order to keep from being late, always tell the terps when you’ll need them an hour and a half before you really do, then check up on them every half hour or so. Out on patrol, I would cut that margin down to half an hour because they didn’t have all the typical distractions to make them late.
Talk Slowly, Avoid Complex Sentences: The first skill to learn when using terps is to say things that their understanding of English can handle. When they’re doing their job for you, simple sentences works best. I know I’m walking down the road of heresy, but this is where quantitative risk assessment done poorly doesn’t work for me because now I something that’s entirely too complex to interpret to the non-IT crowd. In fact, it probably is worse than no risk assessment at all because it comes accross as “consultantspeak” with no tangible link back to reality.
Put Your Resources Where the Greatest Risk Is: To a vehicle patrol out in the desert, most of the action happens at the front of the patrol. That’s where you need a terp. That way, the small stuff, such as asking a local farmer to move his goats and sheep out of the road so you can drive through, stays small–without a terp up front, a 2-minute conversation becomes 15 minutes of hassle as you first have to get the terp up to the front of the patrol then tell them what’s going on.
Pigs, Chicken, and Roadside Bombs: We all know the story about how in the eggs and bacon breakfast, the chicken is a participant but the pig is committed. Well, when I go on a patrol with a terp, I want them to be committed. That means riding in the front vehicle with me. It’s my “poison pill” defense in knowing that if my terp tipped off the Taliban and they blow up the lead vehicle with me in it, at least they would also get the terp. A little bit of risk-sharing in a venture goes a long way at getting honesty out of people.
Share Risk in a Culturally-Acceptable Way: Our terps would balk at the idea of riding in the front vehicle most of the time. I don’t blame them, it’s the vehicle most likely to be turned into 2 tons of slag metal thanks to pressure plates hooked up to IEDs. The typical American response is something along the lines of “It’s your country, you’re riding up front with me so if I get blown up, you do to”. Yes, I share that ideal, but the Afghanis don’t understand country loyalties, the only thing they understand is their tribe, their village, and their family. The Guerilla-CISO method here is to get down inside their heads by saying “Come ride with me, if we die, we die together like brothers”. You’re saying the same thing basically but you’re framing it in a cultural context that they can’t say no to.
Reward People Willing to Embrace Your Risks: One of the ways that I was effective in dealing with the terps was that I would check in occassionally to see if they were doing alright during down-time from missions. They would show me some Bollywood movies dubbed into Pashto, I would give them fatty American foods (Little Debbie FTW!). They would play their music. I would make fun of their music and amaze them because they never figured out how I knew that the song had drums, a stringed instrument, and somebody singing (hey, all their favorite songs have that). They would share their “foot bread” (the bread is stamped flat by people walking on it before it’s cooked, I was too scared to ask if they washed their feet first) with me. I would teach them how to say “Barbara (their assignment scheduler back on an airbase) was a <censored> for putting them out in the middle of nowhere on this assignment” and other savory phrases. These forays weren’t for my own enjoyment, but to build rapport with the terps so that they would understand when I would give them some risk management love, Guerilla-CISO style.
Police, Afghan Army and an Interpreter photo by ME!. The guy in the baseball cap and glasses is one of the best terps I ever worked with.
Posted in Army, Risk Management, The Guerilla CISO, What Works | 1 Comment »
Tags: afghanistan • infosharing • interpreters • itsatrap • management • pwnage • risk • security
Ooh ooh, the review is supposed to be announced tomorrow!
Posted in IKANHAZFIZMA | No Comments »
Tags: government • infosec • infosharing • lolcats • security • transition
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email