If a Tree Falls...

“If whishes were trees, the trees would be falling…” - R.E.M, Stand

You know some variant of the rest of the saying, “…in the forest, would anyone hear it.” I could quickly turn this into a metaphor for continuous monitoring of critical systems. If a security incident happens, would anyone detect it?

Situational Awareness: Seeing the Forest for the Trees

How many trees do you need to monitor, all of them or just the critical and high risks trees? How do you define the perimeter of the forest? Is there even a fixed perimeter, or does it change seasonally and continue to grow overtime. Don’t forget to monitor the skies and the earth for risks. Let’s not forget network flows as the trails and paths through the woods continually change.  Do you have enough Ents on staff, and are they agile or do they take too long to act?

Security Event and Incident Management: Sustainable Logging

When a tree has fallen, we all know there is a log somewhere. But, do you know what to look for when reviewing those logs? Take a good look at the noisy photograph accompanying this post.  There is part of an old rotting tree log in the foreground and a fallen tree in the background.  But, did you notice the new tree growth coming from the old tree stump still connected to the ground.  Is that growth the system renewing itself or is it a malicious replacement of the fallen tree?  Let’s not to forget that old forgotten rotting log in the foreground; is it a necessary part of the system or is just there adding noise to your log review process?

We may never be able to stop every tree from falling, but we should know and understand the forests that we guard, be able to identify critical changes, and detect and respond to security incidents. If a tree falls, someone should detect and review the event.

While the metaphor can continue on, I will leave us standing here in the forest. As long as there are gaps in the tree line; we are not out of the cyber woods.

“Now stand in the place where you work…Wonder why you haven’t before” - R.E.M., Stand

Reading a Few Books

I through a blank canvas on the floor, tossed a few security related books on it, and proceeded to take a poorly lit blurry eyed picture before writing this post. I thought it was time to talk about a few technical books I am currently reading. I will leave the formal book reviews to others and cover what I a reading, why I am reading it, and what I hope to get out of it.

The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress) by Patrick Engebretson

One of the more recent books I picked up after seeing it listed as suggested reading at a local security conference. The book is a fast read when I am actually reading it, but I am stopping frequently to play with BackTrack 5 in my various virtual sandboxes making a two to three day read take two to three weeks. I really don’t do a lot of pen testing and this book looked to be a good review of some of the basic tools out there. My hope is that this book will provide me with a renewed prospective on pen testing methodology that I can apply to protecting and securing information systems.  At the very least this is a book I feel I can recommend to others just getting started in information technology and struggling to understand why we actually need lock things down.

Nmap Network Scanning: Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon “Fyodor” Lyon

I have used Nmap off and on over the years and I am no stranger to its power.  I picked up this book when I got The Basics of Hacking and Penetration Testing.  I figured it can never hurt to have a good Nmap reference book on the self. I hope going through this book will give me that deep dive into using Nmap that will allow me to close a few gaps in my information security skills.

Metaploit: The Penetration Tester’s Guide (no starch press) by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni

I picked up this book a while back, read the first two chapters, and then got sidetracked by work and family life. I am really excited to get back into this book after I get through the The Basics of Hacking and Penetration Testing. While I don’t intend on becoming an exploit security researcher, I am hoping this book will give  me a good understanding of the Metaploit framework. At the end of the day understanding tools like Metasploit should provide me with the knowledge to better secure information systems and networks.

These were a few of the security books I had on the shelf. Now for some reason they are all lying on top of a blank canvas on my living room floor. I guess I will have to find something else to fill the cyber gap in my bookshelf.

A Blue Shield and Red Sword

By day I carry a blue shield into the fog of conflict.  By night I sharpen and hone a red sword.  While I rarely take the opportunity to use a red sword against an opponent knowing how to use it helps me know where to best place a blue shield. They are clashing tools that should be understood and used with coherence.

Just as red teams should use reconnaissance, scanning, exploitation, maintaining access, etc., so should blue teams use reconnaissance, scanning, mitigation, maintaining authorized access, etc.  Why should the red team get all the credit for finding the unlocked doors when the blue team should be finding the unlocked doors and mitigating them first? While red teams often have the opportunity to focus on one target blue teams must defend all targets from multiple threats at all times.  The red team strikes where the blue team is not looking.

One is not better than the other, they just have different challenges to work with and they must work coherently to assess and mitigate the cyber lacuna.

The Cyber Lacuna Loses the Cyber War

Gaps in your information technology and related research can contribute to your team losing its cyber war to other teams with access to gap closing technology and research. At this point that statement should not seem so profound, but I still think it needs to be stated. Many of us sit on the sidelines speculatively arguing the existence of cyber war like activities, but do we truly understand the game.

I am not sure there is an end-game in cyberspace. The goal is not to win some arbitrary cyber conflict, but to maintain an advantage through continuous operations.  Most of time the advantage being sought will have little to do with anything cyber or the Internet. The cyber conduit is just one of many mediums where operations transpire. Gaining the advantage also does not necessarily mean that you have closed a gap for your team. You can take the advantage by creating and maintaining gaps in your adversary’s information technology or research.

You have to look no further than Stuxnet to see an example of a cyber-operation that conspired to create gaps in centrifuge technology so a possible nuclear research gap was maintained in Iran.  While the team that carried out the cyber-operation clearly had developed or gained access to some gap closing malware technology they were willing to give up that cyber advantage to presumably maintain a nuclear advantage over Iran.

We know the cyber weapons of mass destruction are out there, so we need to maintain focus on closing our own cyber gaps. We need to think strategically about our defensive cyber security programs.  We have to assess and develop target theories on where others would seek to exploit existing or create new gaps in our information technology or research.

The end-game is not in cyberspace; it's developing and maintaining the best people. Make sure the human element is not your cyber lacuna.

My thoughts may be unfinished and unrefined, but they are my own.

Lunch Line Security Theater

Back in 2010 at the first TEDxPSU event I was offered the opportunity by a very polite event worker to allow Bruce Schneier to step into the gap in the line in front of me at the lunch buffet. Earlier that morning I had been subjected to Bruce’s Reconceptualizing Security talk. Immediately I started assessing how I felt about the situation, wondering what the model was for dealing with it, and assessing what the reality was. My feelings were chasing for a model that would deal with the reality that was presenting itself.

I was eventually able to understand that the one person that I really wanted the chance to meet that day at TEDxPSU was going to be cutting into the lunch line in front of me. What possible security risk could there being letting Bruce Schneier cut in the lunch line? The reality of the situation said there would be little to no risk in allowing one of the event speakers to cut in line.  The model I had in my head said the social thing to do was be nice and welcome the opportunity and assumed the other event guests behind me in line would not object, at least publicly.

The reality said there was no risk.  The model said there was no risk. So, why did my feelings say there was risk?  I had not expected to run into Bruce in the lunch line. I was a little shocked, felt unprepared, and did not want to leave Bruce with a bad impression.

I did acknowledge the event worker and openly welcomed Bruce by name into the lunch line, but was unable to further engage Bruce as the buffet and rushing of the event worker provided an effective distraction. Although I was disappointed by the lost opportunity, later I was able to make it to the table where Bruce had eaten his lunch and was able to briefly say hi to him before he had to take a phone call. While I never really got to fully introduce myself to Bruce, I am not at all that bummed about it.  I now have a personal security theater story about the day Bruce Schneier cut in front of me in the lunch line.

Bruce started his talk that morning suggesting security is two different things, a feeling, and a reality.  The reality is that it’s not really that much of a risk to allow someone to cut in the lunch line, but you may feel a lot different about the security risk when it's Bruce Schneier cutting in line.

Blue Team: Close the Gap with Situation Awareness

Blue Team:

I left Pleasant Gap this morning to attend the Penn State Security Conference 2012 where I was able to hear Mick Douglas, a PaulDotCom.com Contributor, give his “Blue Team is Sexy: Refocusing on Defense” talk.  Right away Mick’s rant had me re-visualizing how much I love being on the Blue Team.  My takeaway from Mick’s message was it takes the right people that know their systems, applications, networks, and the right tools to use to defend the security gap.  Without the Blue Team there is a Cyber Lacuna in your Information Security Program.

See Mick Douglas’ Derbycon 2011 talk at Irongeek.com:

http://www.irongeek.com/i.php?page=videos/derbycon1/mick-douglas-blue-team-is-sexy-refocusing-on-defense-part-ii-all-you-baseline-are-belong-to-us

 

 

Situational Awareness:

Later this afternoon I got to attend the “Improving Your Cyber Security Situation Awareness” talk by Nick Giacobe, Research Technologist, College of Information Sciences and Technology (IST), Penn State. Nick jumped right into defining Situation Awareness as the state of human knowledge of entities within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.

Through interviewing dozens of cyber security experts Nick was able to gather a comprehension understanding of what it takes to visualize the cyber security situation. Nick provided helpful insight into how a network or systems administrator can use the data from the systems, applications, networks, and the tools they use to improve situation awareness for practicing security analysts.  Nick tied it all together by demonstrating a data fusion process using visualization tools.

As I arrived back in Pleasant Gap tonight I found myself re-visualizing how I can use cyber security situation awareness to refocuse on defense and close the gap for the Blue Team.

Cyber Lacuna

This will be a space to fill in the gaps of my thoughts on Information Security. This has been in my mind for a while.

Cyber -
            A prefix that means computers, internetworks, virtual reality, the space where reality is augmented.

Lacuna -

              An empty space or a missing part; a gap.

Cyber Lacuna -
            The missing medium of computers, internetworks, the space where reality is augmented; a cyber gap.

Cyberspace lost.