QOTD - US Cyber Commander on Defending IT

On May 5, 2009, Army Lt. Gen. Keith Alexander, Director of NSA, and now poised to become new commander of the US Cyber Command, spoke before the Terrorism, Unconventional Threats, and Capabilities Subcommittee of the US House Armed Services Committee:
[The US must maintain] the capabilities to use cyberspace as a medium to deter, deny or defeat any adversary seeking to harm U.S. national and economic security; while ensuring actions are undertaken in a manner that protects our Constitutional liberties.
...
The rapid expansion and global dependence upon cyberspace required the Defense Department to evolve its warfighting doctrine to include cyberspace as a viable domain on par with the domains of the land, sea air and space. Cyberspace is unlike the other warfighting domains, it is a man-made technological phenomenon solely reliant upon human activity. The Department of Defense defines cyberspace as 'a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems and embedded processes and controllers.
...
More than the speed of the communications, the rate of change of cyberspace, and the applications that use it, is continuous, making this domain ever evolving. However, the convergence of communications devices being driven by cyberspace is fueling an integration that has far reaching consequences, both positive and negative, that must be appreciated if one is to understand this domain.
[Emphasis is my own]
Src: Defending IT: Words from the New Military Cyber Commander | GovInfosecurity.com
Direct link to PDF of testimony

QOTD Heartland CEO on PCI Compliance

Just because you have a certificate of compliance doesn't mean that you can't get breached.

People had asked me for years 'what keeps you awake at night' and I would keep telling them it was the fear of a data breach. -- Robert Carr, CEO, Heartland Payment Systems
Src: Heartland CEO says data breach was 'devastating' | ComputerWorld

Data security 'flouted by workers'

Unfortunately, our studies have also shown that it often takes a data breach incident before an organisation will finally get their wake-up call and take data security seriously.
I don't understand why this surprises us when we behave the same way in the real world. Take traffic lights (and other transportation related changes) for example: I've seen too many cases where it takes a traffic fatality before people and the transportation authority (in the US, the Department of Transportation) decide to implement additional controls (i.e. traffic lights or other roadway improvements).

Two reasons come to mind regarding people's apathy regarding security:
  1. Is there appropriate management support for information security throughout the enterprise?
  2. Is there an appropriate and measured security awareness and education program?
Src: Data security 'flouted by workers' | BCS
Link to Press Release from Ponemon Study

Incident Response Templates, Cheat Sheets, and more

Yesterday I put out a call to the Twitterverse looking for Incident Response templates. There were many excellent suggestions so I decided to aggregate them here for future use.

Good start:
http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html
http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
CIO-level http://www.cio.com/research/security/incident_response.pdf
DDOS related - http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html
Good list - http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3629.msg19357/topicseen,1/

More depth:
http://www.first.org/resources/guides/
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Also see NIST Incident Response Templates: NIST SP 800-86, 800-83, 800-61rev1
http://www.sans.org/score/incidentforms/
http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html
http://labmice.techtarget.com/security/incidentresponse.htm
Digital Forensic Analysis Methodology Flowchart (PDF) http://www.cybercrime.gov/forensics_chart.pdf

Additional (not-IR specific sites):
http://www.cert.org/octave/
http://www.cerias.purdue.edu/tools_and_resources/
http://www.owasp.org/index.php/Main_Page
http://www.uribe100.com/index100.htm

Again, thanks to many in the Twitterverse who contributed: @lennyzeltser @shpantzer @idexperts @mikemurr @jth @cyberlocksmith @indi303 @raydavidson @richardebaker

RSA chief: The job of security guy is not to be 'Doctor No'

The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure... Your job then is to shift from protecting the container to protecting the data and information itself. -- Art Coviello, RSA president
I've said it before and I'll say it again: one too many "No!" and your users will start getting IT business done without IT or security's involvement.

Src: RSA chief: The job of security guy is not to be 'Doctor No'

Corrupted Word Files for Sale - Educators Beware

Educators take note: if your students are sending you MS Word files that are corrupted, it may have been done on purpose to buy more time to complete the work.

Src: Corrupted Word Files for Sale | Schneier on Security

5 Free Ways to Track Online Leaks of Information

This article highlights tools/services that companies/governments/individuals can use in order to track data of interest to them (e.g. intellectual property, good reputation, employee comments on social networks, etc). Keep in mind that the ways presented in the article are reactive by nature and are unlikely to expose a determined attacker (insider, hacker, or industrial spy).

Last year, I set up a Google Alert to report on some terms and mentions that I wanted to keep track of, a very useful tool at the reach of any Internet user, not just security pros or investigators.

Src: 5 Free Ways to Track Online Leaks of Information | ComputerWorld

Cloud Computing: The Dawn of Maneuver Warfare in IT Security | Government Cloud Computing

Until now, IT security has been akin to early 20th century warfare... The resulting IT security infrastructures and procedures typically reflected a “defense in depth” strategy, eerily reminiscent of the French WWII Maginot line... Often described as an “arms race”, the IT security landscape has settled into ever escalating levels of sophisticated attack versus defense techniques and technologies... Cloud computing represents an evolution, strategically it represents the introduction of maneuver warfare into the IT security dictionary. -- Kevin Jackson, writing for GovCloud.Utilizer.com
This is a well written article with a profound message: one does not have to fear the cloud as it provides new opportunities to defend against attacks. While I agree with many of the points made in this article, I find that it fails to address some cases: e.g. a single compromised server containing thousands or millions of records.

Src: Cloud Computing: The Dawn of Maneuver Warfare in IT Security | Government Cloud Computing

RFC1918 Caching Security Issues

The article by Robert Hansen (known as @RSnake) clearly lays out the dangers posed by what was once considered good-enough security: hiding information using non-routable IP addresses.

Src: RFC1918 Caching Security Issues | SecTheory - Internet Security

QOTD Standards and Bullet-Proof Vests

Standards are kinda like putting on a bullet-proof vest; they provide some important protection to the core, but you still have significant parts of the body exposed (vulnerabilities) that could be attacked (threats) and damaged, and even prove fatal to the organization that was considered as being 'compliant.' -- Rebecca Herold, The PrivacyProfessor
Src: Realtime IT Compliance | Audits Show Things At a Moment in Time; Silly To Sue For Breaches That Happen 1 Year After Audit Conclusion?