Wednesday, October 31, 2012

A binder full of security women executives

I just read a post on technet and it really reminded me of the binder full of women gaffe. ( by the way, I am non-political).
A quick excerpt from the blog post, the history of the founding of the Executive Women's Forum, now ten years old:"The prospect of finding a number of candidates to round out executive teams was a challenge too. In particular, Joyce was adamant that talented women existed for a spectrum of positions, while she also acknowledged that tracking down the talent and following the network wasn’t as easy as just going to security events."

Tuesday, October 30, 2012

Hurricane Sandy, physical security and rats

I just read that one of the side effects of hurricane Sandy was that the rats and mice that were in the subway tunnels, basements and parking garages had to come to the surface to escape the flooding.

Now they will be looking for two things, food and shelter. The unlucky buildings that give them both will have new residents. There is a great introduction here about why they are such a problem and what to do about it. Here is a more comprehensive discussion. Most of this I knew, but this article claims they can consistently survive a fall of 50'. Since they are now above ground, and they are good climbers, hmmmmm, I have an idea for an Indie horror film.

WA National Guard

I read a post on Richard Bjetlich's blog that Washington State National Guard was going to engage in cyber security.

Sure enough, here is a link to an article in the Bellingham Herald.

20 Critical Controls Reading List

Executive Summary:

The seminar papers required in your course of study are an opportunity for you to reflect on what you have learned in so far in The SANS Technology Institute's ISE 5100 and ISM 5100. You should view this first paper as a chance to establish a general theme for your studies, consistent with the overall goals you enumerated in the outcomes statement you submitted as part of your admission application.

Review your outcomes statement and if necessary, update it to reflect any changes in your goals. (Updates should be submitted to info@sans.edu so that we always have your most recent version.) Review the technical material in the SANS class, and especially the aspects regarding practical implementation of the technology. Review the 20 Critical Controls, your paper must include at least one aspect of the appropriate controls. We have provided a list of readings below, a mix of threats and solutions illustrating various aspects of the critical controls which mention recent security related events. Choose to read the ones you feel might be relevant to your environment, and you are welcome to use other sources as appropriate. Your paper should discuss practical application of security technology in a context that is consistent with your stated outcomes. You paper should also serve to increase the knowledge of security and implementation and should have at least five sources not listed below. Your paper should be five to ten pages in length and should be the beginning of your research for your monograph, part 4 of this course.

Learning Outcome:

The student will demonstrate mastery of the 20 Critical Controls as a framework to implement enterprise security.

Grading rubric:

Relation of paper subject matter to student outcome statement 10 possible
Relation of paper subject matter to at least one control 10 possible
Paper contributes to the body of knowledge 10 possible
Length of paper is between five and ten pages, 1 point per page
Writing quality ( grammar, spelling, flow) 10 possible

Critical Security Controls - Version 3.1



  • Critical Control 1: Inventory of Authorized and Unauthorized Devices Exploiting Embeded Devices http://www.sans.org/reading_room/whitepapers/testing/exploiting-embedded-devices_34022Signing chips
    http://defense.aol.com/2012/10/08/dla-demands-chip-makers-tag-products-with-plant-dna-a-war-on-co/
    Michael Baxter stole hw from Verizon and Cisco http://www.theregister.co.uk/2012/10/05/sysadmin_jail_kit_theft/
    Illegal imports of hw to Russia http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/

  • Critical Control 2: Inventory of Authorized and Unauthorized Software Malware on medical devices http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/
    Downloading trojan (phone) http://www.h-online.com/security/news/item/French-hacker-captures-EUR500-000-with-smartphone-trojan-1734182.html
    Mobile malware http://news.cnet.com/8301-1009_3-57532937-83/fbi-warns-users-of-mobile-malware/
    Malware spreading through Skype - Ransomware http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/

  • Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

  • Critical Control 4: Continuous Vulnerability Assessment and Remediation Security business- Tenable http://www.baltimoresun.com/business/technology/blog/bs-bz-tenable-raises-capital-20121029,0,7059459.story

  • Critical Control 5: Malware Defenses
    Microsoft report on root kits http://blogs.technet.com/b/security/archive/2012/10/19/new-mmpc-threat-report-on-rootkits-now-available.aspx
    State sponsored mini=flame http://www.wired.com/threatlevel/2012/10/miniflame-espionage-tool/all/
    Sandboxing http://www.computerworld.com/s/article/9232562/Adobe_bolsters_Reader_Acrobat_XI_security?taxonomyId=17
    Attributes of Malicious Files http://www.sans.org/reading_room/whitepapers/malicious/attributes-malicious-files_33979
    Microsoft Report on Malware in Romania, Poland, Bulgaria http://blogs.technet.com/b/security/archive/2012/10/22/cyber-threats-in-the-european-union-first-half-2012.aspx

  • Critical Control 6: Application Software Security BEAST http://www.theregister.co.uk/2012/10/18/ssl_security_survey/

  • Critical Control 7: Wireless Device Control Symantec consumer wireless guide http://spotlight.getnetwise.org/wireless/wirelessguide.pdf
    NIST Checklist http://www.itl.nist.gov/lab/bulletns/bltnmar03.htm
    NIST Wireless Special Publication http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf

  • Critical Control 8: Data Recovery Capability Computerworld overview http://www.computerweekly.com/feature/Computer-data-recovery-Essential-Guide
    One of the many Scott Moulton Youtube videos http://www.youtube.com/watch?v=Kx-D1nJcv0k

  • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
    Netwars http://www.sans.org/cyber-ranges/netwars
    Why certify? http://www.giac.org/certifications/why-certify

  • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Router vulnerabilty http://www.h-online.com/security/news/item/HP-asks-researcher-not-to-publish-security-vulnerabilities-1733216.html

  • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services Using SNORT for intrusion detection in MODBUS TCP/IP communication http://www.sans.org/reading_room/whitepapers/detection/snort-intrusion-detection-modbus-tcp-ip-communications_33844

  • Critical Control 12: Controlled Use of Administrative Privileges
    Admin privileges in Windows 8 http://www.forumswindows8.com/general-discussion/how-promote-administrative-privilege-windows-8-a-2214.htm


  • Critical Control 13: Boundary Defense HSBC http://news.cnet.com/8301-1009_3-57535500-83/hsbc-hit-by-broad-denial-of-service-attack/ Social related hacking - null crew http://www.infosecurity-magazine.com/view/29035/nullcrew-continues-its-hacking-spree-with-a-new-international-operation/ SCOCKS proxies http://www.computerworld.com/s/article/9232197/Malware_infected_computers_rented_as_proxy_servers_on_the_black_market

  • Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment http://www.sans.org/reading_room/whitepapers/detection/logging-monitoring-detect-network-intrusions-compliance-violations-environment_33985 Evil Through the Lens of Web Logs http://www.sans.org/reading_room/whitepapers/logging/evil-lens-web-logs_33950

  • Critical Control 15: Controlled Access Based on the Need to Know Jitterbit and Workbench http://www.youtube.com/watch?v=19Q3kq_x-HE


  • Critical Control 16: Account Monitoring and Control Shortened URLs http://www.nextgov.com/mobile/2012/10/think-twice-you-click-dot-gov-link-your-cellphone/58914/?oref=ng-HPtopstory Encrypted Disk Detector ( opportunity to help ) http://computer-forensics.sans.org/blog/2012/10/29/help-improve-edd-encrypted-disk-detector

  • Critical Control 17: Data Loss Prevention Warantless wiretaps http://www.computerworld.com/s/article/9232580/High_court_nixes_appeal_of_AT_T_NSA_wiretap_Case?taxonomyId=17
    BYOD exposure http://news.cnet.com/8301-1009_3-57537298-83/some-android-apps-could-leak-personal-data-researchers-find/
    Google in Europe http://www.bbc.co.uk/news/technology-19953241 New Zealand Job seekers http://www.theregister.co.uk/2012/10/14/nz_mnd_leaks_data/

  • Critical Control 18: Incident Response Capability
    Ireland Domain Registry http://arstechnica.com/security/2012/10/irelands-domain-registry-suspends-some-operations-following-security-breach/
    http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240008928/florida-university-breach-exposes-data-on-279-000.html
    Facebook response to data breach http://arstechnica.com/security/2012/10/facebook-tries-cloaking-probe-into-data-leak-involving-1-million-accounts/
    Zappos unenforceable EULA http://boingboing.net/2012/10/31/zapposs-crappy-eula-found-un.html

  • Critical Control 19: Secure Network Engineering
    Pacemaker attack http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt?taxonomyId=85 Letter to energy producers ( Sen. Rockefeller) http://assets.nationaljournal.com/pdf/1209_ElectricLetterRockefeller.pdf Secure OS for control systems http://www.eweek.com/security/kaspersky-lab-developing-secure-os-for-industrial-control-systems/

  • Critical Control 20: Penetration Tests and Red Team Exercises
    IPhone backup files. A penetration tester’s treasure trove? http://www.sans.org/reading_room/whitepapers/apple/iphone-backup-files-penetration-testers-treasure_33859
    Systems Engineering: Required for Cost-Effective Development of Secure Products http://www.sans.org/reading_room/whitepapers/physcial/systems-engineering-required-cost-effective-development-secure-products_34000


    Technology forces at work, not sure how cloud fits 20 CC
    Fault Modeling for Cloud Services http://blogs.technet.com/b/trustworthycomputing/archive/2012/10/11/fault-modeling-for-cloud-services.aspx
    Cloud Security Alliance https://cloudsecurityalliance.org/csa-news/csa-releases-siem-guidance/
    Google email under state sponsored attack http://www.nbcnews.com/technology/technolog/google-users-your-account-may-be-under-attack-6259428
  • Monday, October 29, 2012

    My defibulator has a virus and will not start

    I met Tim Hoffman at the annual ISSA meeting and we were talking about the problem of malware on medical devices. There is a great article about that here.

    I pointed out that the devices mostly worked anyway and Tim wisely pointed out that if he is have a heart attack he doesn't want the defibulator to mostly work. So true.

    The article jumps straight to the heart of the problem, with an example from Beth Israel Deaconess Medical Center in Boston: "664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews."

    Wednesday, October 3, 2012

    SHA 3 is announced

    NIST has chosen SHA 3 and announced it. As they put it in their announcement, one reason this is important is if SHA 2 falls hard we have an insurance policy. The algorithm is Keccak "(pronounced “catch-ack”)". I commend the winners and look forward to playing with the new technology after the reference algorithm is published. One of the things I am most excited about is to see how deterministic it is. We know that two different messages produce a different digest, but if they are very similar, will the digest be similar. There are some interesting security implications including finding modified copyrighted documents if the digest allows similar documents to produce similar digests.

    VOIP in the cloud

    I was updating my course, MGT 512 day 1 and there is a section on VOIP. Did some Google searches to see what is new for VOIP and just was not finding anything, then I found a page that pointed to Youtube videos. What an incredible resource. There was a great explanation of SIP trunking that any CIO of a mid-size business should see. The potential cost savings are impressive. But the big eye opener is how many VOIP cloud providers have sprung up. This could really save a startup company a lot of money, just buy the IP phones or even use software phones that can work from PCs, Macs, iPads and such. In just a decade, the sunk cost of hardware for voice communications has dropped by an overwhelming amount of money, they most of these solutions do want a monthly subscription per user, but I bet with some research it gets pretty cheap.