Sep 21st, 2009
by Ballistic.
Virtualization really is the hot ticket. Vendors are now offering virtual conferences to offset costs for attendees. This is especially appealing to individuals who freelance, like us, and security specialists who have been given the cold shoulder by their employers for travel and conference attendance. The first virtual conference we signed up for is the first ever Sourcefire Virtual Customer Summit.
Infosecurity is hosting a virtual conference on information security on September 24, 2009 as well. It should interesting to see how effective this method of information deployment is on a global scale.
Posted in: Products.
Sep 17th, 2009
by Ballistic.
There is an interesting article in Intelligence Report about the rise of militia groups in the United States. The only remark pertaining to digital initiatives were about how the Internet has fueled the communication lines for militia groups.
The recent Department of Homeland Security report also pointed to the role of the Internet in the current movement: “Unlike the earlier period, the advent of the Internet and other information-age technologies since the 1990s has given domestic extremists greater access to information related to bomb-making, weapons training and tactics, as well as targeting of individuals, organizations and facilities, potentially making … the consequences of their violence more severe.”
The most interesting part, or lack thereof, is any mention of digital threats these groups pose. Surely these militia groups have considered or may be actively pursuing digital attack methods. The presence of both active and former law enforcement and military is a strong indicator they have tribal and operational inside knowledge. Not to mention the number of sources connected to these groups. Addressing insider threats and risks in your security program are paramount for these situations, but often overlooked by government and corporate organizations. The government workforce relies on the background check and investigative process to address personnel trust, which is clearly a false sense of security. Look at Aldrich Ames and Robert Hanssen. Corporations do not cultivate cultural awareness of security issues, specifically insider threat related. A single page or slide during HR orientation is the most training or exposure employees get.
Active police officers and military members undoubtedly must keep their affiliation with these militia groups under wraps. The armed forces, the Army in particular, has suffered from a long term problem in dealing with members running with gangs and hate groups. No principality would allow one of its law enforcement officers to be a card carrying member of a militant group. To much negative publicity and concern associated with it.
It’s pretty obvious King George III and the rest of the world would have considered the rebellious American colonies as terrorists by today’s standards. Oscar Wilde said “Patriotism is the virtue of the vicious.” These militant groups consider themselves patriots, as did George Washington, John Adams, Nathan Hale and the rest of the revolutionary group. In the event of a civil conflict, each individual American must choose a side. The government in place or the self proclaimed patriots. The Second Amendment was written for a very good reason and the advancement of the human race now changes the definition of “the right to bear arms” to include a keyboard.
Posted in: Threats.
Sep 16th, 2009
by Ballistic.
Network World Security is running an article about ArcSight reconfiguring its ESM product to focus on financial indicators for banks. ArcSight was a deployment disaster the first and only time we dealt with it. The concept is great to funnel all the alerts and log data and provide correlation, but the rule sets and correlation setup was a nightmare. The client who purchased it spent a lot of tax dollars to bring ArcSight in to help configure it properly. ESM is very much like an ERP system in the business world and it’s just as complex. Companies like SAP really make their money in the customization, maintenance and troubleshooting arena and ESM followed suit from our perspective.
In the first week of running ESM, we had over 4 million alerts. Yes, that is four followed by six zeros and no decimal points. Our team consisted of 11 intrusion analyst, so what happened? The team lead decided to start turning alerts off. Just like any other flavor of the month product, the users get inundated with alerts and it becomes a boy who cried wolf scenario. If your car alarm goes off all the time, eventually you ignore it. Same concept, but instead of your eight track getting knicked, it’s weapon plans or intellectual property.
However, ESM is a great and powerful tool just like SAP’s ERP systems. But, it requires a complex deployment project plan and gathering buy in and understanding from the USERS. Not the executive team who is purchasing it or the managers who will never sit at the console. The users must feel they are part of the decision making process and provide feedback to maximize deployment rate of success, especially for a complex project like ESM. Another point to remember and probably the most important is, ESM is not the be-all-end-all solution. It’s a complementary tool for the security professionals toolbox. Our client lead was convinced ArcSight was going to revolutionize the intrusion detection process and go to an autopilot format.
Posted in: Products.
Sep 16th, 2009
by Ballistic.
Is this office going to be filled before Obama’s first term is over with? Every security outlet has devoted pages of reports and background information on this new role to change the security posture of the Feds. Our response has been consistent to every article. This is a turf war and trust issues between government agencies. No individual is going to overhaul and bolster the security of the federal IT infrastructure. There are claims and statements that it won’t be easy and this is the understatement of the year, because impossible is a more accurate statement.
Having worked both sides of the fence I have seen the battles that rage between agencies regarding security. One of the worst vulnerability assessment clients ever dealt with were joint commands. These folks are pulled in so many different directions they don’t where to stand. They may be controlled by one entity but their connection is provided by a different service component, so now they have two directives to follow plus DISA and God knows who else. Another great example of this are joint emergency response units who are manned by multiple agencies and service components. The issue is complexity and adding another figurehead is going to make the problem worse, unless this person realizes they already have a component in place to handle and drive security to all clients. DISA handles the executive leadership and the military. The rest of the government is covered by FISMA, OMB Circulars and Homeland Security directives, which means each agency outside the executive branch and the military are interpreting and handling their security individually. In business terms there are vertical silos of control and operation when there should be horizontal control to ensure broad adherence and consistency. In reality, even the service components operate in silos because they all hate each other and think each other are idiots. The Air Force and the Marines have the best approach to digital security. If you are not in compliance with an IAVA or directive, they will disconnect the offending unit from the network after multiple warnings. We’ve seen the Marines do it and heard about the Air Force following this blunt behavior.
While writing this post I found an interesting article on this topic. GCN discusses the Consensus Audit Guidelines, or CAG. Agencies affected by multiple guidelines are attempting to streamline them to provide consistency and focus on protection instead of compliance issues. These compliance issues are simply metrics reporting tasks and time wasters. There is a need for metrics, but the phrase paralysis by analysis comes to mind when focusing on the numbers instead of the results.
Posted in: Political.
Sep 16th, 2009
by Ballistic.
After suffering a fatal database crash we are back. Our backup drive was lost so our archives were not available. So much for disaster recovery planning at the lowest level. Ah the advantages of cloud computing.
Posted in: Uncategorized.
