Security Ripcord

Andy Willingham, or Andy ITGuy as some of you know him, posted an interesting question in the Security Catalyst forums the other day in a post titled “Is it really ‘Game Over’?”

I attended GFIRST this week and many of the presentations gave the impression that we have hit to point where it’s “game over”. None of them ever said that exactly but Amit Yoran of NetWitness came pretty close. He said that we have already lost and it’s going to get worse before it gets better.

What are you seeing in your “security life”?
Is it that bad? Is it almost that bad?
What do you think we need to do to change the course of things?

… (Go see his opinion in the post)

Now, I haven’t been contributing to the Security Catalyst forums recently (although I know I should be), but I couldn’t let this one slip by without a comment.  Basically I take the stand point that there is no “Game Over” or even “Win or Lose” in the information technology security industry.  There is only “Adapt and Then Evolve.”   Some people might consider this “Playing Catch-up” and it can seem like it if you want to take a pessimistic attitude towards it (we all do multiple times during our careers).  I, however, view it as a constant struggle like life.  We aren’t here to “Win or Lose.”  There is not an “End Game” scenario.  There is only the constant struggle to survive the best way that we can and, while we are at it, make sure that good people are not preyed on by the scumbags in every society.  If we are very lucky, we will also make enough to support our families comfortably while they are dealing with their life struggles.

I have provided a few more details in my reply to Andy’s forum post.  Go, read it, chew on it a bit, then provide your input so that others can learn and grow.  After all, by doing so you are helping others “Adapting and Evolving” by being a Security Catalyst.

Go forth and do good things,

Don C. Weber

As I have mentioned before, I and several other Security Catalysts were willing participants in the Mystery Box Challenge (MBC) hosted by LostboY at DefCon 16.  First of all I would like to thank LostboY for all of his hard work, extra time, and mountains of money that he devotes to the challenge each year, both before and DURING DefCon.  If you had participated in this year’s competition you could not have helped but wonder how much of all three he put in himself.  It is definitely impressive and I am definitely appreciative.

I was thinking about how I could best describe the MBC while demonstrating just how hard it really is to participate.  I decided that one of the best ways is to walk you through one of the problems that we had to solve.  This will not be a complete walk-through for two reasons. 1) I don’t have all the original documentation or pictures of them, and 2) the confusion due to misdirection (which is really LostboY’s favorite game) would get a little boring.  So, lets give it a shot.

To start everyone off LostboY gave each team an envelope with an Infared (IR) transmitter attached to the outside.  The IR transmitter has nothing to do with the initial portion of the challenge but keeping track of it while running around from place to place did take some effort.  The envelope contained a letter, which is one of the items I did not copy or take a picutre of, with a riddle.  Basically the text told us that we already had everything we needed and that we should look to tomes of knowledge and other traditions we had been given.  To make a long story short (by about 5 hours) the clues we needed were in the DefCon program and on our DefCon badges.  It turns out that LostboY decided to enlist the DefCon staff and Kingpin this year which should not have surprised us as we were looking in the DefCon 15 program (sorry, this year’s is not up yet) for clues last year.

Moving right along, what we needed were a block of encrypted text and a key to decrypt it.  Last year LostboY had used a One Time Pad to encrypt a clue and he decided that we would all understand if he used the same trick this year.  Of course, we had the same problem as last year, “Where is the @#$%ing key???”  It was pretty easy to find the cipher text.  It had LostboY’s name written all over it.  LostboY often refers to himself as 1057.  1057 in binary is 10000100001.  As you can see, this was included in the DefCon 16 program.

The picture of winged man is the image of The Monarch from the Venture Brothers (a recurring theme throughout the competition).  When we confronted LostboY about this he told us that Monarch plus the key means, well, Monarch-key.  It’s a joke, son.  Of course, nothing in the competition is a joke to the competitors, so we spent a good while think about what it could all mean.  The kanji at the bottom turns out stands for “1507″ which does not have any mean at this stage.  Nope, the only thing we needed at this stage was the block of text in one long line.  “XUQSITYPZYCYSHQDJBWPJPJTVTGJRCUARYVLQHJOKIDRAGIVWMQUSUPDNHJFITHOLPSBIUPYISMQJ
FOTXJEKLQBIBTPJXBNLVTHOFATHNSUFUFPFMNITHLRHPGIZL” this is the cipher text.  But where is the key?

After many hours of back and forth and many hints from LostboY on his projected screen of shame….I mean hints, we figured out that the key was also in the DefCon 16 program.  As it turns out, LostboY did an interview for the program to explain the thought process behind the competition.

Of course, in true LostboY fashion, it turns out that the first paragraph of the interview is the key for the cipher text.  This paragraph reads:

I get asked to explain the Mystery Challenges quite frequently. More frequently than that I am asked what the hell it is in the first place. I find it interesting that nobody ever asks why the Mystery Challenge (which has really come to be called ‘Mystery Box’). Why I spend months of my life, thousands of dollars and all my time at Defcon creating ciphers that are meant to be broken, strong boxes that are supposed to be breached, and circuits that are designed to be destroyed.

Which, when converted to work with a One Time Pad encryption scheme, for the supplied cipher text, turns into: “IGETASKEDTOEXPLAINTHEMYSTERYCHALLENGESQUITEFREQUENTLYMOREFREQUENTLYTHANTHATIAM
ASKEDWHATTHEHELLITISINTHEFIRSTPLACEIFINDITINTER”

Now, you can take the supplied cipher text and the supplied key and input these values into any One Time Pad program that you have available.  Luckily enough there is a PHP version in the Braingle’s Codes and Ciphers Website.  This website makes decryption easy as pie.  Just put the encrypted text and the key in the appropriate text boxes and you receive your answer “POMZIBOLWFOUVSFDBODIFDLBCPPLPVUPGUIFMPTUCPZMJCSBSZXJUIBMJCSBSZDBSEUIBUCFBSTIJTO
BNFBOEQIPUPIFMQFSNBZBMTPCFBCMFUPDIFDLUIJOHTPVU”.

Cool, right.  Read that again.  Does that spell anything to you?  Nope, me neither.

Now, I cannot really say for certain how anybody figured this out.  I currently have an email into LostboY to see if there was a hint about this anywhere since I do not remember one.  It turns out that this is ALMOST the correct answer.  If you take the answer given here and shift it one character to the left you’ll see the actual message: “ONLYHANKVENTURECANCHECKABOOKOUTOFTHELOSTBOYLIBRARYWITHALIBRARYCARDTHATBEARSHIS
NAMEANDPHOTOHELPERMAYALSOBEABLETOCHECKTHINGSOUT”.

Now, I did not figure this out by looking at it.  Indeed, I did not figure it out during the competition.  One of the other team members thought he remembered a shift from the DefCon 15 competition (I don’t remember that shift at all) so we tried it and got the answer.  Still, I couldn’t just “accept” this answer so I decided to write a One Time Pad program in Python just to satisfy my curiosity.

One Time Pad – Python

It is easy to use.  Although I did originally code a true OTP program, the one attached has been modified to provide the proper output for the challenge.

user@desktop:~/Dev/test_programs/python/crypto$ python otp2.py -d crypt.txt keyfile.txt result.txt
Input: XUQSITYPZYCYSHQDJBWPJPJTVTGJRCUARYVLQHJOKIDRAGIVWMQUSUPDNHJFITHOLPSBIUPYISMQJ
FOTXJEKLQBIBTPJXBNLVTHOFATHNSUFUFPFMNITHLRHPGIZL
Key:   IGETASKEDTOEXPLAINTHEMYSTERYCHALLENGESQUITEFREQUENTLYMOREFREQUENTLYTHAN
THATIAMASKED
Decrypting
Decrypted: ONLYHANKVENTURECANCHECKABOOKOUTOFTHELOSTBOYLIBRARYWITHALIBRARYCARDTHAT
BEARSHISNAMEANDPHOTOHELPERMAYALSOBEABLETOCHECKTHINGSOUT
user@desktop:~/Dev/test_programs/python/crypto$

Once we had the message all we had to do was follow the instructions.  The snag, however, is “what book?”  It turns out that in the original letter LostboY had mentioned ISBN, binary numbers, and palindromes.  We took this to mean that the book required a ISBN that was a binary palindrome like 10000100001.  Of course that was not it.  After some thinking we remembered that LostboY had mentioned the DefCon 16 badge.  Looking at the badge we found plenty of interesting features.  The most important feature was on the back, in the lower right hand corner, between the contact points for the USB adapter.

Clearly LostboY wanted us looking at this.  Once again 10000100001 in the first line is binary for 1057 or LosT.  The second line, if you cannot read it, is “21ADDDEC1024″.  This can be interpreted in several ways but the simplest way is add Hex 21, or 0×21, to decimal 1024.  0×24 = 33.  33 + 1024 = 1057 or LosT.  As we know LosT in binary is 10000100001 but we also know that this is not the ISBN to the book that we are looking to check out.  We know this because LostboY told us so when we did try to check it out.  After thinking on the whole thing long and hard I noticed a statement in the letter.  In not so many words it said to that we had the answer but we needed to add everything together to get it.  So, on a whim I decided on the following equation: 0×2 + 0×1 + 0xA + 0xD + 0xD + 0xD + 0xE + 0xC + 0×1 + 0×0 + 0×2 + 0×4.  This equals 0×55 which is 1010101 in binary.  Yes, that is a binary palindrome.  It was the ISBN for the book that we needed. And after all of that work, one full day of DefCon, several gray hairs, and some choice cuss words at LostboY’s expense, we had what we needed to move onto the next phase of the competition.

The rest of the MBC will very hard to explain and so I probably will not even try.  Needless to say, LostboY sent us on even more wild goose chases that boggled our minds for another 30 hours.  Most of the answers were right under our noses and the winning teams obviously were able to sift through the mis-directions faster than the other teams.  My hat goes off to them.

Go forth and do good things,

Don C. Weber

There is an interesting conversation in the Security Catalyst Community with the title “vmware bridge vs. NAT“. It started as a discussion about developers utilizing VMware for development on their local machines. The initial issue was whether to allow the developers to configure their systems so that the guest communicated through the host via NAT or to require that all guests be assigned an IP address on the network.

The thread has already gone through a spiral of recommendations and additional questions. I will not hash those out here. But what I found interesting is that this all comes back to a question of policy. The current policy, at this company, “stats [sic] that no workstation should route traffic.” One respondent pointed out that although the implementation of VMware might be a concern, perhaps the problem is actually the way that the policy has been written.

The way that policy is written should never get in the way of the desired goal for which the policy has been instated. What I mean by that is that the requirement that ‘no workstation should route traffic’ is a means, and not a goal. What you probably want is that no workstation should be able to connect networks in a way that they were not designed to.

Very sage advice.

All of this brings the risk of unauthorized network extension to the forefront. What I mean by network extension is any hardware or software configuration that permits other systems to utilize the network. What I mean by unauthorized is anything that has not gone through the proper approval channels to be placed on the network. We see examples of this all the time in most work places. Somebody attaches a network hub or switch so that they can have a desktop and a laptop. Another person bridges their network interfaces through their handy-dandy Microsoft XP configuration capabilities. And the one that everybody knows best, wireless, wireless, wireless. All of these scenarios can increase the risk to any environment. Not only do you have unauthorized systems on the network, but there is no telling how they have been configured, what software and hardware has been installed, or what the administrative passwords may be. Just to name a few.

So, how do we combat the extension of our network. Well, at my last job at the university, they started with (yup, you guessed it) policy. And despite a few rough encounters that occurred while confiscating equipment, I believe that they handled it quite well. First they started with an over-arching policy to start the control effort. (I have changed a few of the position and department titles to be more universal and understandable.)

All University data, video, wireless, and voice telephone network connectivity, including but not limited to active data net-attached lines, hubs, switches, telephones, wireless and extenders, must be approved by the Chief Technology Officer. Such connectivity must be coordinated and supervised by IT Department. Any installation not approved may be disconnected.

Next they developed policies with more detail that provided the users with information about the policy’s scope, applicability, terms, implementation, and consequences. They made it very clear that ownership and operation of the campus’ network would be handled by a specific department and that all approvals for connectivity would have to be processed by that department. They provided very clear wording to ensure that all users understood that this included any instances where the network was extended.

All hardware and software configured to extend or re-transmit the university network and telecommunications infrastructure, including all wireless technologies, must be approved by the Chief Technology Officer prior to acquisition and deployment. All systems, devices, and software capable of extending this infrastructure must adhere to configuration standards developed and maintained by the IT Department.

Finally, they very specifically stated what would occur if the policy was violated and the devices extending the network were located.

Any device, system, or software found in violation of this procedure may be confiscated and temporarily stored by the Chief Technology Officer or a representative of the office.

Of course these are all just snippets from several policies that combine into a proactive security stance for the University. But I believe they state very clearly the organization’s stance on network extension and may help those of you who have not considered these types of policies.

Now, where does this all get us with the original issue of permitting NATed VMware instances. I believe that it leaves it open to interpretation. It allows the IT personnel, developers, and Chief Technology Officer to negotiate an agreement by looking at the risks and implementing controls. The policies are flexible enough to permitted this type of configuration with prior approval, while also empowering the IT department should a high risk situation arise.

Go forth and do good things,

Don C. Weber

SCC, policy, management, university, security, Security Ripcord, network extension

I have recently posted a question to the Security Catalyst Community.

I believe that it is becoming more and more clear that our biggest problems in security are vulnerabilities being exploited through the vector of the end-user. I think that it is becoming more and more obvious that the root cause of this problem is the extraneous, and perhaps unnecessary, amounts of processing power and program capabilities that are supplied to these users. Although hardening installations, limiting permissions, detailed policies, and user awareness do have an effect, I am starting to get the feeling that the ultimate solution is going to be reducing the exposure through strict control of the resources made available. Although not a new concept, thin clients solutions are capable in most operating systems in addition to the similar third party solutions such as Citrix (there are probably more but this is the only one I know off the top of my head).

I would like to know about people’s opinions on thin clients and their place in businesses. I think it would also be curious to see what people think about the circular nature of this as it is very similar to the way main frames operated. Do you feel that industries will move in this direction only to eventually sift back to the current situation?

We should get many interesting responses and you can read them by navigating to the original thread. Registration is required, but well worth it.

I have also decided to create Security Ripcord Poll on this subject for those who do not wish to navigate to the forum but would like to provide a quick opinion. And please, if you feel that I have the wrong impression of thin clients and their capabilities or effectiveness in a business environment, please leave a comment to help educate me and your fellow readers.

Enjoy.

SCC, Citrix, Security Ripcord, thin clients

The Department of Homeland Security has developed a document to help address the quickly advancing security professional market place. The document is titled IT Security Essential Body of Knowledge (EBK). This document outlines the skill sets necessary for different security focus areas. To help tweak this document, and ensure that it meets the requirements of the industry, DHS has put out a request for comments about the documents contents.

Purpose

The EBK draft document has undergone initial review through several working groups and through a series of role-based focus groups with members that serve or have served in IT security roles across the government, industry, and academia. Our purpose is to receive a larger audience review through the Federal Register process prior to finalization of the document and public promotion of its use.

As the Security Catalyst Community is very interested in the development of security professionals, we have begun an effort to review and comment on the contents of the document. (Thank you for the kick, Faith.)

So far I have been managing the review effort via email. Several well known security professionals have stepped forward and will be contributing to this effort. So far the list includes: Rich Mogul, Ron Woerner, Andrew Hay, Rebecca Herold, Michael Santarcangelo, Andy Willingham, David Mortman, Brett Lewis, Martin McKeay, and Landon Lewis. Hopefully more will be added soon.

Besides email, one of the resources we have been using is ScribbleWiki. This is where you, the reader, come into play. If you would like to contribute to the SCC comments you can do so by providing your input at the Security Catalyst Community’s DHS IT Security EBK Response page. Right now there is only input from myself, but in the coming days there should be more comments relating to the different subject areas.

Comments for the document are due by December 7th, 2007. Please provide your input to the ScribbleWiki site or by emailing me directly. On December 6th I will consolidate the comments from the Wiki and emails into the proper documentation. On the 7th I will add any stragglers and then submit the document to DHS.

Remember, there is potential that organizations will use this document to determine where their security professionals should be as they start considering them for hiring or promotions. If you think that something is missing, out of focus, or too much you need to let them know now. This is the Design phase, it is going to be much harder to change once the owners of this document move it into the Implementation phase.

Go forth and do good things,
Don C. Weber

SCC, DHS, security, EBK, Security Ripcord

Speaking, presentations, guided group discussions, brown bags, technical talks, impromptu meetings, moderated conference forums: security professionals at some point find themselves talking out loud in front of a wide variety of groups with a wide variety of skills and interests. Indeed, I personally believe that speaking in front of a group of people is one of the key skills necessary for all security professional. Although some people are born with this skill, the rest of us have to work at it. It takes guts, time, knowledge, and practice, practice, practice.

Luckily for all of us we have security professionals like Ron Woerner. Ron is a professional speaker who strives to provide guidance and leadership about speaking to anybody who will take the time to listen. More than once I have found myself turning to Ron and he has always made time for me.

Because of his expertise in speaking and security I decided that it would be a good idea to have Ron do an email interview about security professionals and speaking. First, let’s start with a little background on Ron.

Ron Woerner has over 17 years of experience in the security industry. He has been quoted in CSO, SC, and Information Security magazines and has been a noted speaker at security conferences throughout the U.S. including the RSA, CSI and NebraskaCERT Security Conferences. He has been employed as an Air Force Intelligence Officer, the Information Security Officer for the Nebraska Department of Roads, a UNIX administrator for the Mutual of Omaha Companies, and the Lead Security Engineer for CSG Systems, ConAgra Foods and now TD Ameritrade. Ron earned a Bachelors degree from Michigan State University and a Masters degree from Syracuse University in Information Systems. He was awarded the CISSP security certification in August of 2001, the NSA IAM certification in August of 2003, the Certified Ethical Hacker (CEH) designation in December 2005 and is a Certified Forensics Investigator.

Before we get into the interview, I would like to thank Ron for his very detailed responses. He really went above and beyond my expectations. It does not surprise me, but I am truly thankful.

Now onto the interview. The following, unedited, text is my questions and Ron’s responses.

1. In Episode 84 of the Network Security Podcast (http://netsecpodcast.com/?p=5), Rich Mogul talked about the importance of
presenting skills. How important is presenting to a security professional and do you think it is any different from that of any other professional?

I agree fully with Rich Mogul that Security Professionals need to be able communicate in both speaking and writing.

Communication skills distinguish security professionals from security technicians. This includes both spoken and written skills. We are constantly selling our ideas. If you can’t communicate, you can’t sell. As a security professional, we need to be able to communicate well in order to influence others behaviors to be more secure.

We speak for three primary reasons: to influence, to inform, and to entertain. In security, we are primarily trying to influence others to be more secure. Occasionally we are informing others about the state of security. Even in technical presentations, don’t discount the need to entertain. Think about the best speakers you’ve ever heard. They were entertaining while informing or influencing.

Consider the Wall St. Journal’s list of the traits that recruiters look for in business school candidates:

• Communication and interpersonal skills
• Original and visionary thinking
• Leadership potential
• Ability to work well within a team
• Analytical and problem-solving skills

I ask, “Shouldn’t this be a similar list for security professionals?”

2. Do you think that the students coming out of college today are lacking the basic skills necessary for presenting information to a group?

I don’t think they’re only missing the skills; they’re missing an understanding of its importance. They will blow-off a basic communications class without realizing that it’s core to their success later on.

Additionally, many college classes require presentations, but often the students are told to do it without being shown how. A history professor does not feel it is their place to show students the basics of presenting. Plus the students aren’t given the right feedback to improve.

There are two primary types of speaking: prepared and impromptu. Most college classes focus only on the former. This is unfortunate because the ability to speak without preparation or notes can easily separate high achievers.

Security professionals need to be able to speak without a lot of preparation, because you never know when you’ll be called into the CIO’s office.

3. The latest Security Ripcord Poll asks is there is a difference between presenting and being able to lead a group discussion. Are these different skill sets or do you think they fall into the same category?

I agree that, “All security professionals should be able to present well and lead conversations.”
However, these are two different, yet related skill sets. In presenting, you are front and center. You need to be able to address all questions and be seen as the SME. In leading group discussions, the focus is on the topic and participants. You don’t need to know the answers, but you do need to what questions to ask. Plus the group is the SME.

As Tony Jeary says, “Life is a series of presentations.” Even in a group discussion, you will be presenting. Both traits demonstrate the need for security professionals to be leaders. As a security leader, you may be called to give a presentation or you may need to lead a discussion group. You better be prepared. One way is to learn and practice both skills.

4. What are some common mistakes that people who are new to presenting will find themselves doing? What are ways to overcome these mistakes?

Mistake #1: Not preparing for everything. This includes the basics, but also the unexpected. Murphy lives at presentations. If the technology can break, it will. Be ready for it.

Mistake #2: Depending too much on PowerPoint. See #1. Be ready to speak without a PowerPoint. Don’t bulletize everything you’re going to say. People came to hear you speak, not to read a book. Also, don’t…read…from…your…slides. (See the Smallest Presentation Hack Ever.) I’ve seen too many good presentations spoiled because of that.

Mistake #3: Too many grunts. Grunts are ums, ahs, and ya knows that fill a presentation. Here’s a great LifeHack has a great article on it: http://www.lifehack.org/articles/lifehack/how-to-cut-crutch-words-when-giving-a-speech.html. Most people don’t realize how much they grunt until they start listening to themselves.

5. What are some common mistakes that professional speakers can find themselves doing if they are not careful. Can you recommend ways they can determine they are doing these things?

See point 4 above. Those mistakes can happen to anyone.

The most common mistake for experienced speakers is not fighting for feedback. You need an unbiased evaluation in order to see your mistakes and grow. Our good friend, Michael Santarcangelo (http://www.securitycatalyst.com/) pointed out that most professional sportsmen have coaches. Speakers so have one as well.

6. If you had to pick one method to help a person improve their speaking skills, what would it be?

Darren LaCroix, the 2001 World Champion of Speaking, has a mantra for building talent as a speaker: “Stage time, stage time, stage time.” Take every opportunity you can get to present; whether it’s with a couple of people or a whole roomful.

One great place to develop both your speaking and leadership skills is Toastmasters (http://www.toastmasters.org/). A local Toastmasters club can provide all of the things I’ve talked about here. You get practice with both planned and impromptu speeches. You get evaluations from other experienced speakers. You can also get leadership experience. You can even take part in their many speaking competitions. All for a low cost. (I won’t say how much or else it may sound like a commercial.)

7. Do you think that the use of presenting software like Microsoft Power Point or Apple’s Keynote have adversely affected the present skills of today’s professionals?

I once asked Craig Valentine, another World Champion speaker why he didn’t use PowerPoint. He laughed. We place far too much reliance on presenting software. It’s supposed to supplement our presentation, not be its focus. Presentation Revolution has great comments on how, when, and where to use those programs. See its Change This manifesto: http://www.changethis.com/35.05.Presentation.

8. Could you recommend any books, blogs, or websites that people can use to gather information about presenting skills?

• Toastmasters. Join a club near you.
• Dale Carnegie has a number of books on leadership, speaking, and improving your people skills.
• Peter Urs Bender, Secrets of Power Presentations (plus many other articles)
• Businessballs article on Presentation Skills (http://www.businessballs.com/presentation.htm). We’re always saying that security needs to better connect with business. Businessballs shows how.
• I’ve also mentioned a number of sites through-out my comments above.

9. Is there anything I have missed that you think it is important to talk about when discussing presenting skills?

Don’t be afraid to get up and do it. You really have little to lose and much to gain. Plus, it’s addicting, once you get into it.

10. Is there anything you are working on that you would like people to know about?

We are continuing to build the Security Catalyst Community (http://www.securitycatalyst.org/forums/). This is a great way to connect with other security professionals from around the globe.

Let me know if you’re going to RSA 2008 in San Francisco. I look forward to talking with you.

“By working together, we all become stronger.”

Ron W

Go forth and do good things,
Don C. Weber

speaking, security, Security Ripcord, Ron Woerner

Check out the original post at the The Security Catalyst Community.  I please post any comments to the original article and not here. 

When an organization decides to designate a person to handle security for their information resources the first thing that individual is going to realize is that they to not have a procedure to use when if there is a security incident. Whether the incident is a virus infection or an unauthorized disclosure of information the organization needs a method to respond so that there is a risk assessment, incident management, and follow-up that considers security as well as business continuity. Although seemingly easy it quickly becomes a large task to spin up brand new incident response procedures from scratch. Luckily there are many resources out there to assist security professionals creating an incident response plan for their organization.

The following are what I consider to be good information resources to get started on an incident response plan:

1. Read a book titled, “Incident Response & Computer Forensics, Second Edition” (ISBN: 007222696X) by Kevin Mandia, Chris Prosise, Matt Pepe, and Scott Larson. This book will familiarize you with the basic steps, terminology, and tools utilized when responding to an incident. This is a great resource for anybody who has not been exposed to incident response.
2. For more detail on setting up an incident response plan take a look at the SANS book store (http://store.sans.org) for the “Computer Security Incident Handling Step-By-Step.” You can see a brief excerpt from the book at https://store.sans.org/samples/incidenthandling_sample.pdf.
3. As you are creating your response plan you will find that there is a lot of documentation involved. Instead of starting from scratch you can use the SANS incident handling forms located at http://www.sans.org/score/incidentforms/index.php?portal=327e9b8f50ffeb4c9d90867b082d6d05.
4. With a basic incident response plan in place you are going to need to understand the “enemy” better and prepare defenses within your environment. Although I have not had a chance to read this book yet I have purchased it because of the great reviews it has received. It is titled “Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses” (ISBN: 0131481045) and it is written by two well known and respected security instructors Edward Skoudis and Tom Liston. You can check out the website for this book and other resources by these and other security instructors at http://www.counterhack.net/Counter%20Hack/Welcome.html
5. Lastly, you should check out the comments to this article to see if anybody has posted references to other helpful resources. If you have one, POST IT.

Okay, enough with resources. What should you do “right now” if you have an incident and do not have a incident response plan ready to implement? Well, here are a few steps to get you moving down the right path.

1. Remain calm and do not make assumptions. There may be a perfectly logical explanation once you have gathered all of the information available and have had a chance review everything in a less stressful environment.
2. Do a quick risk assessment to help determine the level of response:
• can anybody be hurt by what is happening?
• do the systems involved contain sensitive information?
• will what is happening affect the rest of the environment or other networks outside of our environment?
• should the systems be shutdown or should they be left running and just unplug the network card?
3. Decide who is in charge and the other people who are going to need to be initially involved. Examples:
• Team leader
• System/network administrators
• Legal counsel
4. Get one team member to start thinking about and working with other administrators to get everything back up and running. The ultimate goal of an incident response is to help maintain business continuity. Do not, however, begin implementing any steps that might affect the information on the systems involved prior to deciding if they need to be forensically copied in their current state.
5. Determine if this is going to be an incident that involves a crime. If so, notify the proper authorities immediately as they will have methods and means to handle the incident. If you do not know who to call, contact your local police department and they will be able to point you in the right direction.
6. Start documenting everything. Even if you do not have an official form create a new notebook and designate a person to maintain the “case notes.”
1. How the incident was detected.
2. Any actions taken in response to the incident.
3. Any conversation you have with somebody outside of the organization.
4. Any interviews with persons involved.
5. Get a camera and start taking pictures of the systems involved before any change is made. Examples:
• Front and back of system(s)
• Cables
• Serial numbers
• Hard drive lights
• Server heads-up displays
• System and bios time
7. Create a “chain of custody” form for controlling anything that may be perceived as “evidence.”
• As the evidence is controlled by a new individual document it on this form.
• Try to contain “evidence” in a secure location with at least two methods of physical access control.
8. Start gathering and centralizing log files from firewalls, routers, IDS, switches, etc.
9. Determine if you are going to need to bring in a third party to assist with the incident response and/or computer forensics.
• A good state by state list is located at the “Computer Forensics Companies” web site: http://www.computerforensicscompanies.com/statelist.html.
10. Take your time and relax. It is okay to make mistakes or to not know an answer. If you have gotten this far you are doing great.
11. Once you have finished sit down with the team and go over the lessons learned. Use this experience to create a more detailed incident response plan as you will, probably, now have more managerial buy-in to allocate time to this project.

Okay, eleven steps are more than a few. Hopefully these will get you over the hump of the first incident response and moving forward towards creating a detailed plan for future incidents.

Go forth and do good things.
Cutaway

Security Ripcord, Incident Response, The Security Catalyst Community

I just wrote an E-mail to Michael Santarcangelo of the Security Catalyst about his Security 2.0 initiative. Please comment if you have any input.  Also watch out for Michael to open the Security Catalyst Community soon.  You should also listen to the Security Roundtable if you haven't had the chance.

Go forth and do good things.

Cutaway 

*Edited slightly to clear up the early morning typos 

Michael,

    I finally got a chance to listen to your Security 2.0 podcast and the SRT #4.  I really think that you and the rest of the guys are addressing the issues that are core to the security fields.  In the past few years security has really taken off into its own space.  There are all kinds of new innovations and implementations that are really starting to drive a large portion of the industry.

   I believe that your Security 2.0 theory definitely has a place within the community.  I absolutely think that we are coming to a time when there will need to be a shift in attitudes towards how we are approaching security.  Not necessarily from the enterprise level.  We have a lot of that figured out in the defense in depth strategies and defensive solutions.  And what we don't have figured out we have plenty of capable people work on.  What I mean when I say change is there needs to be a shift our approach of combating (imagine me, working that word into the conversation the threat source.  I really like that term, threat source.  The exploitation of a vulnerability allows a threat to be initiated but it is the threat source that must take some type of action to set the situation in motion.  Human threat sources are really what is driving our industry, they are the demons to our paladins.  Insiders, disgruntled employees, script kiddies, criminals, terrorists, drunken louts, jealous wives are all common threat sources that we are generally familiar with but there is something that is missing from this equation.  Society and social behavior.  It is easy to say that Americans don't understand the rest of the world.  We are an isolated society with strong views and opinions.  So it is easy to say that American security experts do not fully understand the Russian or Korean threat source motive and methodologies.  What some people don't realize is that different society and social behaviors can be seen right around us.  For example, here in south Texas things, including business, happen at a slower pace than the east coast.  Another example is, and I am generalizing (which is part of my point) in Louisiana things are accomplished on a more tit-for-tat basis than the west coast.  People, I'm talking about the people we are working for, experience this far less then persons in our shoes because they, generally, stay close to home.  We, security professionals, on the other hand realize that we are "10 to 15 milliseconds from every scumbag on the planet" (quote from a guest on Pauldotcom) and we have to plan accordingly.

   How I think that Security 2.0 is going to help is that you, and the other security catalysts you enlist, are going to begin asking questions of people who are not necessarily main stream security or IT professionals.  I think that, as a society, we have seen this type of thing before when business started doing this in the 50's through the 70's (it hasn't stopped but I believe that this is where the major advances were made, I do not have examples, I am just going off a sense of advancement through American history).  And this is the type of direction a portion of the security industry has to walk if we are going to improve.  Yes we still need people developing protections but we also need people who are furthering the understanding of the threat source.  A perfect example is direction people like Bruce Schneier are taking us.  One of his recommendations to protect our society (and the world) from terrorism is to increase funding for prevention through education of the threat source, intelligence gathering, and behavior profiling instead of a rigorous set of controls that limit functionality and easy of use.  Of course, there is always going to be a place for protections from mistakes, misconfigurations, and laziness but to really advance we have to start looking outside of our industry and begin utilizing the research and resources that other professions and disciplines can provide.

   As to the SRT podcast on responsible reporting I think that the Security 2.0 approach is going to help us here as well.  With these types of experience we will be able to begin a fundamental shift in the thinking of management, the legislature, and the judiciary.  Only then will it be possible for us to move to an environment where people are not afraid to do the right and ethical thing.

Well, I have talked long enough.  Getting back into the writing mode has proved to be a little harder than I thought.  I am hoping that this will help me but I am also glad to hear people talking and advancing these issues.  I am looking forward to the progression of Security 2.0 and I am willing to help.

Take care and have a great week,
Don

Security Ripcord, Security Catalyst, Security Roundtable, Security 2.0

First of all I would like to say that I am very impressed with the responses that I have received from the established podcasters out there.  I've had responses from Martin McKeay , Dan Kuykendall , Michael Santarcangelo , and (another new guy on the podcasting block) Alan Shimel.  I contacted them for a few promos so that I can start practicing leadins and I figured that they will get back to me in a few days.  Well, I was about to log off when the emails from the West Coast started coming in.  They started offering advice and suddenly DDOSed my host's server.  Luckily Martin had a solution, LibSyn and a few hours later I was up and running.  Little did I know that he was going to plug me and Alan the next day.  So, what was suppose to be a leisurely introduction into podcasting has built up a bit of steam.  No stopping now.

Luckily, as I stated, I was given a few words of advice that I was told I could pass onto all of you.  

Advice from Martin McKeay:

Some input:

-> Get your podcast to a hosted environment.  Don't try to host them
yourself.  Libsyn accounts start as low as $5 month.  Your current
bandwidth is too low to host the podcast, a problem which is very
clear when I tried to stream it.
->  Show notes!  It makes it a lot easier when you go to record.
-> If you're going to be doing this a while get a decent mic.  I've
heard a lot of good things about the Blue Snowball mic, which is
around $140.  Or you can get a M-audio MobilePre USB preamp and a
decent mic.  I've got a Audio Technica AT2020.  Check out Dan's
podcast setup at Mighty Seek
-> Something I just found out:  Don't export to mp3 from Audacity.
It's a great program but the LAME encoder introduces sound artifacts
into your audio.  Export to a WAV file and then open the file with
iTunes and use that to export to MP3.  I use Audacity to record, but
when I'm doing my encoding, I'm now using Adobe Audition.  As of
today, that is. I've also used Propaganda, which has a demo, is cheap,
but is fairly limited.  It's encoding is also better than Audacity's.

Relax and have fun.

 I have to say that without Dan's Podpress I would have been completely dead in the water.  Even after I DDOSed myself and updated to LibSyn it let me quickly and easily point to the file located on my LibSyn account.

 So, if you are going to try this, I am here to tell you, there is a lot of support in this community.  I'm sure they will be watching me closely.  Hopefully I can contribute.  

Time to start working.   Thanks to all who have listened already. 

Go forth and do good things,

Cutaway 

Podpress, podcast, StillSecure, LibSyn, The Security Catalyst, Network Security Blog, Mighty Seek

I just added a post to the Security Catalyst site. During the recent podcast (Security Catalyst #27), Michael Santarcangelo wanted to start a forum topic about What Are The First 5 Actions, Security Catalyst Case Study. As I am starting to think about this very subject I am very interested in everybody’s point of view on this. Please comment on my post either at the Security Catalyst site or here. As I state in the forum I have very thick skin and I value your input.

———————————————

Some of these may seem a bit broad but that is how they are intended. That is because I think that these are the basis for a plan. Before you start deploying systems and connecting them to the Internet, or let end-users run around the internal network, you need to cover the basics and create a managed, secure environment. There should also be a sub-step for each of these to review the findings of the previous steps to see if the new information affects them.

1. Incident Response Policy - this is going to happen at some point. It would be tragic if it happened right off the bat but stranger things have happened. You need to identify how this is going to be handled and individual responsibilities.
2. Prioritized Asset Identification - How do you know how to protect something unless you have identified what needs to be protected and which is most important.
3. Acceptable Use Policy - This will help you determine how your external and internal protections will be configured.
4. Network Deployment Review - If they have a network plan figured out but it has not been review by the Security Manager then it is still in development. At the least the network plan needs to be reviewed at this point to ensure that the previous steps have not created changes.
5. Deployment Strategy - Now that you have a list of assets, know what the network will be used for, and understand the network deployment scheme you need to determine how you will deploy and manage your assets. This strategy should cover how systems are built, hardened, managed, updated, and connected to the network.

I have thick skin so please hack away at this. I will be doing this very thing very soon and I hope to use this as a sounding board.

Thank you,
Cutaway

———————————————

Yes, thank you all,

Cutaway