Thursday, August 30, 2007
Wednesday, August 29, 2007
Monday, August 13, 2007
Sunday, August 12, 2007
Monitoring and visibility, old'y but a...
From :http://www.schneier.com/crypto-gram-0107.html#5
From the ensuing comments:
Nice segway to this post by Bejtlich re: Schneier and Cyberwar;
http://taosecurity.blogspot.com/2007/04/taking-fight-to-enemy-revisited.html
"Without monitoring, you're vulnerable until your security is perfect. If you monitor first, you're immediately more secure."
"Monitoring should be the first step in any network security plan. It's something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don't actually improve a network's security until they're acted upon."
"It's specious logic for a CIO to decide to wait until his network is stable, he understands his security, and all his patches are up to date. It'll never happen. Monitoring's best value is when a network is in flux -- as all large networks always are -- due to internal and external factors."
From the ensuing comments:
"However if you insist on war as the metaphor, here are two thoughts along those lines. First, the war, if that is what it is, is surely a guerrilla war. The entities being attacked are large, visible, slow-moving and part of the power structure. They have much greater resources than the attackers, but no effective way to apply them. The attackers and few, dispersed, hidden and have few resources. But what they have is the free choice of when and where to attack.
To fight guerrillas it is necessary to a) identify them; i.e., distinguish them from civilians and b) control some resource that is essential to their survival. Given the Internet as it exists today, I don't see much hope of doing either of these. If the authorities decide to employ broadly targeted, draconian measures, they will find like the British in America and the Americans in Vietnam, that the collateral effects on innocent civilians are simply unacceptable.
My second thought about hacking as war is that the situation can be compared to that in many wars, but most especially the American Civil War. While some people were busy fighting and dying, war profiteers made fortunes selling rotten food, unserviceable uniforms and non-working weapons. With a market full of snake oil security, bug-ridden applications and vendors who are more interested in suing or prosecuting people who reveal security problems than fixing them, this seems like the kind of war we are in."
Nice segway to this post by Bejtlich re: Schneier and Cyberwar;
http://taosecurity.blogspot.com/2007/04/taking-fight-to-enemy-revisited.html
Thursday, August 09, 2007
ROI or NPV?
If you understand the acronyms above, maybe have a trek over here : http://financialcryptography.com/mt/archives/000939.html
otherwise you may want to move quickly on :)
otherwise you may want to move quickly on :)
Thursday, August 02, 2007
Time to think the unthinkable
So the problem as quoted many times before is, "how to demonstrate that
security practices are both working and effective?".
As in most production network and system footprints, the goal posts,
risks and processes are ever moving and changing. How do we measure
security and track a risk management program effectively without making
comparison to some baseline or standard configuration?
The answer is we don't. There isn't any and there never will be for
*your* IT footprint.
So, you ask, what can we measure when trying to prove the unprovable?
The answer lies in making a comparison to something, but to what? Other
organisations perhaps? Too tough it seems, as they don't have nor share
relevant data or reports for obvious reasons. Each IT footprint and
business is built on similar building blocks but is fundamentally
different as the "superorganism" morphs, grows and responds to different
traffic and needs constantly.
What is required is a clone. A sometimes inferior and sometimes superior
clone of the organism. A test subject if you will.
I am not talking about development systems or sub-models of the organism,
but a live fully functional version of the entire entity, which can
assume many states at a whim.
With todays focus on virtualisation and seemingly never ending
processing and storage, surely we could construct a clone of our
business residing all in memory on a single or distributed platform.
This is what we would perform change management upon and measure
against. Think of it, not as a "honey-net", but a "honey-org".
Yeah, yeah, needs X memory and won't be perfect, but better than nothing
and the "honey-org" could be constantly updated from the live management
systems.
With a form of total information awareness we could build a clone of our
systems, nodes and processes - exclusively in software, running on
lower spec hardware perhaps. Here, only time becomes the key factor.
Using something akin to enterprise management systems the information
and images could be gathered to build a clone of our organisation or
enterprise in as much detail as possible which would facilitate a form
of testing that would see us able to demonstrate what would, and does
happen, if certain policies or changes are not enforced.
Three, is the magic number. A production network, a clone network, and
whatever other development or model systems are required.
This would not address physical security in tandem with virtual
security, nor would it be able to fully simulate all users or business
processes, but it is what we are approaching with products like Cisco's new provisioning platforms, Opnet's modeler and risk management via Skybox. The ability to then generate traffic and incidents is also required. SmartBits, IMix, VA and fuzzing till your heart's content including session replay all in one go? Easy huh?
The main problem today is we don't know enough about our environments.
We need to know more. We need to build a fully virtual infrastructure to fully understand our real infrastructure. We may be still quite some
distance away, but in extrapolating the possible futures, this seems to
me to be the only way of demonstrating the "what if" scenarios!
Open up the virtual infrastructure to the net. Offer up your virtual
systems to the bad guys. Transparency is the key both for the bad guys
and the good guys if we really want to make progress. Perhaps.
In theory this is what we pretend to do with "Change Management" today, though the results are more often than not guessed at, divined from experience and faith and are totally subjective.
Yes it is time to slow down the rate of change, make a copy, offer it up
or strip bits away from our clone to see where and how the security
dollars are really being spent. Gimme' a clone, drop it in the lions
den, and I'll give you, at least in part your ROSI(Return on Security
Investment).
security practices are both working and effective?".
As in most production network and system footprints, the goal posts,
risks and processes are ever moving and changing. How do we measure
security and track a risk management program effectively without making
comparison to some baseline or standard configuration?
The answer is we don't. There isn't any and there never will be for
*your* IT footprint.
So, you ask, what can we measure when trying to prove the unprovable?
The answer lies in making a comparison to something, but to what? Other
organisations perhaps? Too tough it seems, as they don't have nor share
relevant data or reports for obvious reasons. Each IT footprint and
business is built on similar building blocks but is fundamentally
different as the "superorganism" morphs, grows and responds to different
traffic and needs constantly.
What is required is a clone. A sometimes inferior and sometimes superior
clone of the organism. A test subject if you will.
I am not talking about development systems or sub-models of the organism,
but a live fully functional version of the entire entity, which can
assume many states at a whim.
With todays focus on virtualisation and seemingly never ending
processing and storage, surely we could construct a clone of our
business residing all in memory on a single or distributed platform.
This is what we would perform change management upon and measure
against. Think of it, not as a "honey-net", but a "honey-org".
Yeah, yeah, needs X memory and won't be perfect, but better than nothing
and the "honey-org" could be constantly updated from the live management
systems.
With a form of total information awareness we could build a clone of our
systems, nodes and processes - exclusively in software, running on
lower spec hardware perhaps. Here, only time becomes the key factor.
Using something akin to enterprise management systems the information
and images could be gathered to build a clone of our organisation or
enterprise in as much detail as possible which would facilitate a form
of testing that would see us able to demonstrate what would, and does
happen, if certain policies or changes are not enforced.
Three, is the magic number. A production network, a clone network, and
whatever other development or model systems are required.
This would not address physical security in tandem with virtual
security, nor would it be able to fully simulate all users or business
processes, but it is what we are approaching with products like Cisco's new provisioning platforms, Opnet's modeler and risk management via Skybox. The ability to then generate traffic and incidents is also required. SmartBits, IMix, VA and fuzzing till your heart's content including session replay all in one go? Easy huh?
The main problem today is we don't know enough about our environments.
We need to know more. We need to build a fully virtual infrastructure to fully understand our real infrastructure. We may be still quite some
distance away, but in extrapolating the possible futures, this seems to
me to be the only way of demonstrating the "what if" scenarios!
Open up the virtual infrastructure to the net. Offer up your virtual
systems to the bad guys. Transparency is the key both for the bad guys
and the good guys if we really want to make progress. Perhaps.
In theory this is what we pretend to do with "Change Management" today, though the results are more often than not guessed at, divined from experience and faith and are totally subjective.
Yes it is time to slow down the rate of change, make a copy, offer it up
or strip bits away from our clone to see where and how the security
dollars are really being spent. Gimme' a clone, drop it in the lions
den, and I'll give you, at least in part your ROSI(Return on Security
Investment).
Thursday, July 12, 2007
Zen and back again...
What follows are some "modern" haiku (interspersed with images *to come*) which are based partially on my notes over the past few months, and also, to a degree upon, some of my experiences in this wonderfully calm and quaint Rinzai Zen Temple outside of Kyoto.
Traditional or formal haiku should not only have a 5-7-5 syllable count, but should be composed during a pure moment of Zen which reflects and invokes an empathic experience in the reader. Also present should be a characteristic of, or reflection on, a season by virtue of an appropriate subject or action. Due to the pace and disconnectedness from nature of today's society I have dispensed with some of the more traditional aspects, in the hope of evoking in the reader a similar experience to mine. There are perhaps more messages than moments in the below, and of course some information technology!
Traditional or formal haiku should not only have a 5-7-5 syllable count, but should be composed during a pure moment of Zen which reflects and invokes an empathic experience in the reader. Also present should be a characteristic of, or reflection on, a season by virtue of an appropriate subject or action. Due to the pace and disconnectedness from nature of today's society I have dispensed with some of the more traditional aspects, in the hope of evoking in the reader a similar experience to mine. There are perhaps more messages than moments in the below, and of course some information technology!
Many distractions,
information overload.
Where is the wisdom?
Internal battles.
Elephant for dinner.
Morsel at a time.
Physical struggle,
gateway to inside, not out,
receiver go deep.
Faith in science,
No moral compass found here.
Perhaps in Zen?
Arrogant mind.
Our attachments and desires.
Wake up time.
So many "sheeple",
asleep at the wheel.
How to de-program?
Input and output,
constantly processing them.
Who does the work?
Watching the watcher.
One of us is a tool.
Wield with respect.
Bits in, bits out.
Quality information,
computer mind?
Symbiotic "we".
Both need constant attention,
unplug the machine.
All is nature,
what can we not control?
Begin with yourself.
Symmetry desired.
Where is the fun in that?
Let's remain human.
Dirty fingernails.
Ground is moist and warm.
Food from the womb.
Dappled sunlight,
much potential energy,
free-wheeling downhill.
Sooner or later,
worry grips the mind, draining.
How much is enough?
Half full, half empty.
Begin again. A new cup.
Paradigm shifting.
Summer decisions.
Experience of last year.
Life's moving goal posts.
Mind management,
herding cats, bees and mice,
welcome to the zoo.
Energy in thought,
our most prized possesions,
content and intent?
True nobility,
Improve upon former self,
ad-infinitum.
Criticise, gossip,
matter not when others speak,
self-judgement.
No unhappiness,
curious, energetic,
spirited, joyful.
All basic questions,
unanswered, never stupid.
Reluctant probing.
Form expectations,
plain as the nose on your face,
perceptions altered.
Too young, too old.
Deceive oneself, just do it.
Too rich, too poor.
Control your thoughts,
failure, no courage to try.
Nothing more, nothing less.
Future shock, peak oil,
adaptational breakdown.
Disease of change.
Ogburn culture lag.
Rate of human response,
obsolete people?
Premature future,
incompetent neurosis.
Avalanching change.
Death and permanence,
Suffocating complexity.
Impermanent rise.
Bleeding edge I.T.
Security, assurance,
nowhere to be found.
Always hurry forward,
Moulded mass education,
de-school society.
Early adopter,
enumerate the pitfalls.
Risk or reward?
Guaranteed future.
Where is the fun in that?
Step to the unknown.
Neural feedback loops,
"Thin slicing" situations,
partial involvement.
Avoid human ties,
flow through of people slowing down.
Nomadic children.
Sunday, June 24, 2007
Kyoto and the art of human maintenance
Heading for some 'Rest and Realization' on Tuesday. Back soon.
Thursday, June 21, 2007
Dear Sirs..
Another bold question if I may. The topic is trust. The subjects are sheeple and computer systems. The framework is IT Security. The context is always changing. The goals are the same. Intent is irrelevant. Miscreants abound.
Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.
http://blogs.csoonline.com/dirty_trailers_cheap_tricks
As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.
Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.
I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!
How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.
How can you trust managed systems and users?
How can you trust infrastructure nodes?
Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.
Now where does that leave us?
Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)
So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).
SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.
Fun, fun, fun.
Every node will be a client.
Every node will be a server.
Every node will be a cache.
So now, do you trust the node, or introduce another trusted node to watch the node.
This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.
Can we checksum people, anyone?
Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html
Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.
This morning, the New York Times has a nice story on gateways to online movie trailers that contain adult content. Trailers online will be preceded by colored tags, just like the green one you see in theaters that indicates the preview is acceptable for anyone watching. A yellow tag indicates the trailer may include PG-13ish content and a red one indicates an R-rated trailer, as it does in theaters, though red tags are rarely used in theaters.
The trailers that appear on the studios' movie sites, the story said, also have time of day restrictions, ostensibly viewable only between 9 p.m and 4 a.m.
More here
As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.
Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.
I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!
How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.
How can you trust managed systems and users?
How can you trust infrastructure nodes?
Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.
Now where does that leave us?
Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)
So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).
SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.
Fun, fun, fun.
Every node will be a client.
Every node will be a server.
Every node will be a cache.
So now, do you trust the node, or introduce another trusted node to watch the node.
This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.
Can we checksum people, anyone?
Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html
Sunday, June 17, 2007
Friday, June 15, 2007
What does IT Security and a HIV/STD test have in common?
Answers on a S.A.E. ( Self Addressed Email )
Thursday, June 14, 2007
Symbiosis
If one doesn't separate the human from the endpoint system e.g. which is what client side security is really all about, then - and only then - will we make progress in the IT security battle. The human, peripherals and machine comprise the client side endpoint which needs to be protected in its entirety! Now let's think about Integrity, Availability and Confidentiality again.
Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)
Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)
Dorky is right!
IT Security needs more than this Open University style waffle.
I prefer the 'Look Around You' approach to learning ;)
I prefer the 'Look Around You' approach to learning ;)
Wednesday, June 13, 2007
A text from the ether
I got this message via text from a friend today:
"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"
And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':
"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"
And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':
On my tech mind.
- Complexity Crunch
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information
Sunday, June 03, 2007
The Blue Packet
This is a great post from a site I like about the mobile Telco industry. It made me laugh out loud. Things that evoke an audible response from you are special, whether good or bad!
Link ( also in image ) : http://the.taoofmac.com/space/blog/2004/11/08
Tuesday, May 29, 2007
Friday, May 25, 2007
Ack, Ack, Ack
Just wanted to reiterate something from Wade's blog:
Watch your thoughts: They become your words.
Watch your words: They become your actions.
Watch your actions: They become your habits.
Watch your habits: They become your character.
Watch your character: It becomes your destiny.
Watch your thoughts: They become your words.
Watch your words: They become your actions.
Watch your actions: They become your habits.
Watch your habits: They become your character.
Watch your character: It becomes your destiny.
Subscribe to:
Posts (Atom)