emerging threats

1

Management 512 – © 2010 SANS

Everything I know is wrong!

How to lead a security team in a time of unprecedented change and challenge


This is NOT a New Problem

2


1943: A world market for maybe five computers


1981: No one will ever need more than 640k

3


1995: Internet will never take off


Some Specific Examples

“A man doesn't know what he knows until he knows what he

doesn't know.” Dr. Laurence Peters

4


.pdfs are the safe attachment

• Don’t send .docs that might transmit a virus, send a .pdf, it is “just” a print file

• Today, about 1/2 of malware infections originate from Flash and Reader http://www.itpro.co.uk/622522/adobe-reader-and-ie-feel-brunt-of-web-based-malware

• Doesn’t solve everything but I am loving Gpdf for Firefox and Chrome


Computers are made from CPU, MMU and possibly GPU

• Computers are made from a number of subsystems, many of which have own processor and memory that are not under direct control of OS

• June 2010 Bigfoot released an NIC with its own GPU

• And then, there is the baseboard management controller

http://www.itpro.co.uk/622522/adobe-reader-and-ie-feel-brunt-of-web-based-malware



















5


Hot site is the Cadillac of Disaster Recovery

• Hot site means equipment/network is available and configured

• However, today’s environments are so complex, that doesn’t work well; too many changes too fast. VMWareSite Recovery Manager has a much better chance of actually working.


Or maybe alternate sites

• Paul Volcker as the Fed, argued for redundant sites, database replication, geographic diversity

• How geographically diverse? Think EMP http://www.newsmax.com/RonaldKessler/emp-electromagneticpulse-William-Graham/2010/04/05/id/354742

6


If you encrypt it with AES it will be safe for 1000 years

• 2009, Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and AdiShamir, describe an attack against 10 round AES 256 that is fully practical

• 14 rounds is NIST standard so don’t panic yet

• Historical note, DES was still in common use when it could be cracked in near real time


You have to have anti-virus

• Is the prevailing wisdom and it has made its way to the auditor’s checklists

• 30k new malware per day from automated systems, AV is 90% effective at best and usually far lower

• What we have to have is endpoint white list technology, and it is a pain

7


Incident Response isn’t that hard

• In the past this was the domain of the Help desk and primary tool was a “cleaning kit”

• Today, you find you need an outside specialist in response/forensics/ investigation/malware who bills at $330.00 hour door-to-door


When you register a domain get the .net and .org as well

• Yeah, and every country code and domain suffix?

8


When you code, do all your housekeeping at one time

• Get your file handles to input files, scratch files, output files all in the same function, so if you can’t do your I/O you exit with a nice error message

• But, this allows a difference between TCO/TOU which opens the door for race conditions


Online banking is safe because of security questions

• It is likely that you mentioned the name of your pet on Facebook

• They usually only ask the security questions if you do not have a bank cookie

9


Online Banking Tips

• eTrade uses an RSA dongle, therefore it is my primary account

• Get your paycheck deposited into one bank account and do not use that account for ANYTHING other than paying bills

• Have a max of one bank where you have a debit card


As long as they don’t go to porn sites web surfing is harmless

• Surfing the web is probably the most dangerous thing you do using a computer

• NoScript Firefox, with Internet Explorer I have Flash disabled, try that and see how many web sites fail

10


I run Microsoft Update so I am pretty good, yeah?

• Actually, the odds are we have expired, end of life and out of date needing patches 3rd party applications

• I run Secunia PSI 2.0+ to try to manage this


You should never put more than one service on a server

• This was one of the lessons of the Morris Worm – 1988, if the server goes down, you lose multiple services

• Today, we have blades hosting hundreds of servers, however tools like VMotion may be able minimize the risk

• State of Virginia went down for IT August 2010 for about a week

11


OK, so what?

Stephen, you have shared some facts, some I knew, some I didn’t, some I need to research further, but what is

the point?


Future Shock Revisited

• 1970 – we are headed for a time of increasing change, people who can adapt will prosper, others . . .

• Coined the term “information overload” which no one uses anymore even though they are overloaded

• Concept of knowledge worker, who can work from anywhere (Aloha y’all)

12


So, everything we know isn’t wrong, it is just changing

Let’s talk about proven strategy to stay effective during times of change


Business “clue” during times of extreme change

• Situational awareness, get in the information stream, be alert for what you can measure

• Know what is “evergreen”, adapting to continue to deliver revenue as times change and protect that above all

• Don’t change anything that is working, save your energy for things that are not working well

13


Security “clue” during times of extreme change

• Threatpost

• ISC.SANS.ORG – hey, it looks a lot more like English than it used to

• SANS NewsBites

• Scan Searchsecurity.techtarget.com

• At least once a month, really dig into to a vulnerability or attack


Don’t force yourself or your smart techie to try to figure it all out

• Use templates for system configuration www.cisecurity.org

• Leverage the 20 Critical Controls, especially the quick wins and automated controls

http://www.cisecurity.org/

14


Managing “across”, managing peers

• Keep in mind that extreme change is and has been a fact of life in security for a long time, your peers in other areas of the business may not be as used to it as you are, give them some grace and time to adapt

• Also, not everyone needs to be a technologist; a good business operator brings in more money than a technologist 99 times out of 100


Managing the Boss

• Senior managers tend to be a little older and less flexible

• Make sure to add value to the organization and then hold your ground *in private*

• A compliment every once in a while doesn’t hurt

• Practice giving accurate, but simple and short explanations about technology

• Avoid FUD, that is so 1970s

15


Managing Direct Reports

• The two keys are capability and consistency, make sure the same boss shows up every day, push to improve capability

• Communication – if something does not get done, first check to see if your direction was clear

• Follow up, when you give direction set a calendar tickler


Challenge Yourself

• Meetings, whitepapers, policy are all important

• But don’t get so busy that you don’t actually play with a tool every once in a while

16


12 Laws of IT Power

• They can’t easily fire you if you are the best

• Never speak to management in hex

• At any given time know what the best selling security books are

• If you help people learn what you know, they will help you get the work done

• Bet on people and bet large

• Be flexible - as long as you have oxygen, power, water and propellant, you have options

• No sensible organization wants to mess with a rainmaker

• Avoid unplanned requests for money

• Be positive

• Teaming, the person next to you knows something you don’t

• Push back

• When opportunity knocks, be prepared to take advantage of the moment


Parting Thoughts

• Nobody becomes effective or irrelevant in a day, either is the result of thousands of choices

• We all have the same amount of time: avoid timewasters, seek timesavers, consider giving up a low value task to pursue a high value task

• Decide what you want to accomplish, the steps to get there, share it with a friend who will hold you accountable, use written reminders until the steps become habits and then disciplines

emerging threats

Technology