Posts Tagged ‘security’
Black Hat: 5 Security Lessons From an Ex-FBI Official
Last Updated on Thursday, 23 August 2012 10:14 Written by Celframe Security Team Thursday, 15 November 2012 01:24
LAS VEGAS—There is a lot private sector companies can learn from the Federal Bureau of Investigation when it comes to beefing up their security defenses, a former official told attendees at Black Hat security conference.
The private sector has to accept that companies can’t keep focusing on protecting the network perimeter but acknowledge the adversaries are already inside, Shawn Henry, director of the FBI and currently a president of CrowdStrike Services, a division of security startup CrowdStrike, told attendees at the Black Hat security conference. The private sector should bear the responsibility for defending their networks from criminals, lone-wolf attackers, nation states, and corporate espionage, Henry said, calling it a matter of “life and death” if the companies failed to step up.
The FBI had to change their approach and tactics after 9/11, because it was clear terrorists were already inside the country. The best way to catch them once they were in was to work with other intelligence agencies to gather and share better intelligence, Henry said. The private sector has to shift the “paradigm” and approach security as a strategic exercice, collecting and analyzing intelligence before taking concrete steps before the attackers can cause damage.
In his keynote speech on the first day of Black Hat in Las Vegas, Henry laid out five lessons the FBI and other intelligence agencies learned from when dealing with hostage situations in the return world.
The actual tactics used to launch the attacks may be different, but the theory is the same, he said.
Assume you’ve been breached.
Companies are accepting they can’t keep out intruders, so they are shifting their focus on minimizing the amount of time the adversary spends in the network. The goal is to quickly spot intrusions and quickly respond, Henry said.
“I can’t tell you how many times FBI agents are deployed onsite, saying they found data that was breached, because we found all of this company data outside of the network,” Henry said. “We sit down with the CISO or COO, and they said it couldn’t have happened.”
Of course, after some analysis, the same “couldn’t have happened” official realizes the perimeter had been breached months before. In some cases, the breach may have happened years ago, and the organization just didn’t notice, Henry said.
Once the organization has accepted that someone has breached the network, the logical next step is to look for them, Henry said. IT administrators and security teams have to constantly be looking for traces of malicious, unexplained activity. He did not advocate hacking back at the adversaries, noting that was illegal. However, he did encourage leaving behind fake files and information as decoys to trick adversaries looking for certain types of information. If the company was engaged in sensitive negotiations over a merger, that is what the thief is most likely looking for, so leaving fake data out for them to find is a way to foil their attempts, Henry said.
Not Everything Has to be on the Network.
Organizations are putting a lot of information on the network, without thinking about what really has to be there, Henry said. If the super-sensitive data is not on the network, adversaries can’t steal it. The FBI doesn’t put certain information, such as transcripts from court-ordered intercepts and documents detailing sensitive investigative techniques, on the network, Henry said.
“I don’t understand why more companies aren’t compartmentalizing their data,” Henry said.
Change How You Measure Success.
For a while, the FBI focused on how many arrests and indictments they made, Henry said. That wasn’t a good metric because it didn’t give any insight into whether they were going after the big threats or impacting the landscape. Private sector should also change their metrics, and instead of worrying about keeping out intruders, focus on reponse speed, Henry said.
“How long after the adversary gets access to my network will I be able to identify and mitigate the threat?” Henry said.
Information-sharing is the katest buzzword in security circles, and in a good way. Businesses should be sharing with each other and with the government information about security threats they are seeing, Henry said. Granual intelligence gives the security teams the necessary intelligence to figure out where the attacks are coming from, what the motivations are, and what form the attacks may take, Henry said.
“We need to understand who the adversary is, because if we understand who they are, we can take proactive measures,” Henry said.
Black Hat Launches Control-Alt-Hack Security Card Game
Last Updated on Thursday, 23 August 2012 10:14 Written by Celframe Security Team Tuesday, 13 November 2012 10:39
LAS VEGAS—Imagine a game that is easy to play, fun, and teaches you about computer security. Attendees at the Black Hat security conference in Las Vegas got to watch a sample play session of one such game, dubbed Control-Alt-Hack.
A tabletop card game about white hat hacking, Control-Alt-Hack was developed by Yoshi Kohno, an associate professor of computer science and engineering at the University of Washington Computer Security and Privacy Research Lab, and Tamara Denning, a doctoral student in the department. Players are professional hackers hired by “Hackers, Inc.” to break into supposedly secure systems as part of a security audit.
Kohno incorporated real-life scenarios and threats in the game, including spam-spewing botnets, data breaches of patient medical records, and hacking SCADA devices. Players can exploit weak passwords and unpatched software in their penetration tests.
“We went out of our way to incorporate humor,” Denning said, before adding, “We wanted it to be based in reality, but more importantly, we want it to be fun for the players.”
Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger (now out-of-print but quite popular back in the day). There are 156 game cards in the deck, including 16 hacker characters cards, 56 “mission” cards, 72 “entropy” cards, and 12 attendance cards. The kit also includes 58 hacker cred tokens, to symbolize how cool the player is in the hacking world, and 42 money tokens.
The hacker cards display various personas and characters the player can adopt during the course of the game. The characters avoid the stereotype of the unkempt researcher glued to the computer all day. Instead, players play men and women with a wide-range of interests such as martial arts and rock climbing. The mission cards and entropy cards describe the goals of the player and the various situations they find themselves in.
The goal was to create an environment that would get people talking about security and ask questions as they learn while playing, Adam Shostack, an honary member of the Computer Security and Privacy Research Lab, said during the presentation at Black Hat.
Neil Rubenking recently wrote about how vendors are trying to make security fun through games. An example is Stronghold of Security from Jagex, a free-to-play dungeon with a quest that can’t be completed unless the player performs various tasks to secure the user profile. The game also requires players to answer questions about ways to keep their accounts secure in order to pass from one room to another. Another example was the points and badge system built into password manager Dashlane. Users earn badges and other rewards as they select stronger passwords.
Control-Alt-Hack teaches that computer security is more than just running antivirus and goes to great lengths to portray attacker motivations and techniques.
“Go get the game, go play the game, and share the game with others,” Shostack urged the attendees. People should also “go make your own games,” Shostack said.
While it is not designed to be an educational game in the sense that it would teach specific concepts, people playing the game will be exposed to important computer security concepts, Kohno said. Control-Alt-Hack will be most useful in industry and educational settings, engaging students in a classroom or attendees at a conference.
The three-to-six-player-game is designed for a fairly broad—but young— audience, 15 to 30 years of age, with a basic working knowledge of computer science, according to Kohno and Denning. The game is expected to go on sale this fall for $30, but educators can sign up on the game website to receive a free copy while supplies last.
For more from Fahmida, follow her on Twitter @zdFYRashid.
Security As A Service: “The Cloud” & Why It’s a Net Security Win
Last Updated on Thursday, 23 August 2012 10:14 Written by Celframe Security Team Sunday, 11 November 2012 06:19
If you’ve been paying attention to the rash of security startups entering the market today, you will no doubt notice the theme wherein the majority of them are, from the get-go, organizing around deployment models which operate from “The Cloud.”
We can argue that “Security as a service” usually refers to security services provided by a third party using the SaaS (software as a service) model, but there’s a compelling set of capabilities that enables companies large and small to be both effective, efficient and cost-manageable as we embrace the “new” world of highly distributed applications, content and communications (cloud and mobility combined.)
In the same way that I differentiated “Virtualizing Security, Securing Virtualization and Security via Virtualization” in my Four Horsemen presentation, I ask people to consider these three models when discussing security and Cloud:In the Cloud: Security (products, solutions, technology) instantiated as an operational capability deployed within Cloud Computing environments (up/down the stack.) Think virtualized firewalls, IDP, AV, DLP, DoS/DDoS, IAM, etc.For the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers (see next entry) . Think cloud-based Anti-spam, DDoS, DLP, WAF, etc.By the Cloud: Security services delivered by Cloud Computing services which are used by providers in option #2 which often rely on those features described in option #1. Think, well…basically any service these days that brand themselves as Cloud…
What I’m talking about here is really item #3; security “by the cloud,” wherein these services utilize any cloud-based platform (SaaS, PaaS or IaaS) to delivery security capabilities on behalf of the provider or ultimate consumer of services.
For the SMB/SME/Branch, one can expect a hybrid model of on-premises physical (multi-function) devices that also incorporate some sort of redirect or offload to these cloud-based services. Frankly, the same model works for the larger enterprise but in many cases regulatory issues of privacy/IP concerns arise. This is where the capability of both “private” (or dedicated) versions of these services are requested (either on-premises or off, but dedicated.)
Service providers see a large opportunity to finally deliver value-added, scaleable and revenue-generating security services atop what they offer today. This is the realized vision of the long-awaited “clean pipes” and “secure hosting” capabilities. See this post from 2007 “Clean Pipes – Less Sewerage or More Potable Water?”
If you haven’t noticed your service providers dipping their toes here, you certainly have seen startups (and larger security players) do so. Here are just a few examples:QualysTrend MicroSymantecCisco (Ironport/ScanSafe)JuniperCloudFlareZScalerIncapsulaDome9CloudPassagePorticor…and many more
As many vendors “virtualize” their offers and start to realize that through basic networking, APIs, service chaining, traffic steering and security intelligence/analytics, these solutions become more scaleable, leveragable and interoperable, the services you’ll be able to consume will also increase…and they will become more application and information-centric in nature.
Again, this doesn’t mean the disappearance of on-premises or host-based security capabilities, but you should expect the cloud (and it’s derivative offshoots like Big Data) to deliver some really awesome hybrid security capabilities that make your life easier. Rich Mogull (@rmogull) and I gave about 20 examples of this in our “Grilling Cloudicorns: Mythical CloudSec Tools You Can Use Today” at RSA last month.
Get ready because while security folks often eye “The Cloud” suspiciously, it also offers up a set of emerging solutions that will undoubtedly allow for more efficient, effective and affordable security capabilities that will allow us to focus more on the things that matter.
Related articles by Zemanta