emerging threats
DESCRIPTION
Strong cryptography done correctly can’t be defeated! Wrong, a practical attack was published in 2009 against 10 round AES 256, quantum key distribution proved to be flawed in May 2010. You have to have anti-virus! Well, fine, but it no longer works in a world that generates 30k new variations of malware some days. You should never have more than one service on a server. What about blades and virtualization? Data centers must have raised floors; funny, ours uses risers instead. If you are writing software, put all of your housekeeping such as getting file handles of input and opening scratch files in one function; because if those fail, your program will fail, and this way you can exit with a nice tidy error message. Of course, that introduces a number of TOC/TOU race conditions. If you are registering a domain name, be sure to also get the .net and .org ones to prevent people from using your brand. Okay, what about all the other domain extensions and country codes? The Blackberry is the only PDA that truly has enterprise class management tools and a securable configuration. Hmmm, we read about organizations switching to the iPhone all the time, Apple must have done something right. I have been a security researcher for seventeen years and even though I spend a part of almost every week researching new stuff, I have to be aware that much of what used to be the basic blocking and tackling of information security just doesn’t work, isn’t relevant, or may even be dangerous today. This talk will not just be about what was once true and is no longer; it will be a discussion of how to lead when much of the information flow you are receiving is suspect, as well as where we appear to be heading in the future (and I will make every effort to avoid using the terms cloud and Advanced Persistent Threat.) Stephen Northcutt, SANS Faculty Fellow Stephen Northcutt founded the GIAC certification and currently serves as president of the SANS Technology Institute, a postgraduate level IT security college (www.sans.edu). Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of chief for information warfare at the Ballistic Missile Defense Organization. Stephen is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer. Since 2007 Stephen has conducted over 34 in-depth interviews with leaders in the security industry, from CEOs of security product companies to the most well-known practitioners in order to research the competencies required to be a successful leader in the security field. He maintains the SANS Leadership Laboratory, where research on these competencies is posted as well as SANS Security Musings. He is the lead author for ExecuBytes, a monthly newsletter that covers both technical and pragmatic information for security managers. He leads the Management 512 Alumni forum, where hundreds of security managers post questions. He is the lead author/instructor for Management 512: SANS Security Leadership Essentials for Managers, a prep course for the GSLC certification that meets all levels of requirements for DoD Security Managers per DoD 8570, and he also is the lead author/instructor for Management 421: SANS Leadership and Management Competencies. Stephen also blogs at the SANS Security Leadership blog.TRANSCRIPT
![Page 1: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/1.jpg)
1
Management 512 – © 2010 SANS
Everything I know is wrong!
How to lead a security team in a time of unprecedented change and challenge
Management 512 – © 2010 SANS
This is NOT a New Problem
![Page 2: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/2.jpg)
2
Management 512 – © 2010 SANS
1943: A world market for maybe five computers
Management 512 – © 2010 SANS
1981: No one will ever need more than 640k
![Page 3: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/3.jpg)
3
Management 512 – © 2010 SANS
1995: Internet will never take off
Management 512 – © 2010 SANS
Some Specific Examples
“A man doesn't know what he knows until he knows what he
doesn't know.” Dr. Laurence Peters
![Page 4: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/4.jpg)
4
Management 512 – © 2010 SANS
.pdfs are the safe attachment
• Don’t send .docs that might transmit a virus, send a .pdf, it is “just” a print file
• Today, about 1/2 of malware infections originate from Flash and Reader http://www.itpro.co.uk/622522/adobe-reader-and-ie-feel-brunt-of-web-based-malware
• Doesn’t solve everything but I am loving Gpdf for Firefox and Chrome
Management 512 – © 2010 SANS
Computers are made from CPU, MMU and possibly GPU
• Computers are made from a number of subsystems, many of which have own processor and memory that are not under direct control of OS
• June 2010 Bigfoot released an NIC with its own GPU
• And then, there is the baseboard management controller
![Page 5: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/5.jpg)
5
Management 512 – © 2010 SANS
Hot site is the Cadillac of Disaster Recovery
• Hot site means equipment/network is available and configured
• However, today’s environments are so complex, that doesn’t work well; too many changes too fast. VMWareSite Recovery Manager has a much better chance of actually working.
Management 512 – © 2010 SANS
Or maybe alternate sites
• Paul Volcker as the Fed, argued for redundant sites, database replication, geographic diversity
• How geographically diverse? Think EMP http://www.newsmax.com/RonaldKessler/emp-electromagneticpulse-William-Graham/2010/04/05/id/354742
![Page 6: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/6.jpg)
6
Management 512 – © 2010 SANS
If you encrypt it with AES it will be safe for 1000 years
• 2009, Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and AdiShamir, describe an attack against 10 round AES 256 that is fully practical
• 14 rounds is NIST standard so don’t panic yet
• Historical note, DES was still in common use when it could be cracked in near real time
Management 512 – © 2010 SANS
You have to have anti-virus
• Is the prevailing wisdom and it has made its way to the auditor’s checklists
• 30k new malware per day from automated systems, AV is 90% effective at best and usually far lower
• What we have to have is endpoint white list technology, and it is a pain
![Page 7: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/7.jpg)
7
Management 512 – © 2010 SANS
Incident Response isn’t that hard
• In the past this was the domain of the Help desk and primary tool was a “cleaning kit”
• Today, you find you need an outside specialist in response/forensics/ investigation/malware who bills at $330.00 hour door-to-door
Management 512 – © 2010 SANS
When you register a domain get the .net and .org as well
• Yeah, and every country code and domain suffix?
![Page 8: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/8.jpg)
8
Management 512 – © 2010 SANS
When you code, do all your housekeeping at one time
• Get your file handles to input files, scratch files, output files all in the same function, so if you can’t do your I/O you exit with a nice error message
• But, this allows a difference between TCO/TOU which opens the door for race conditions
Management 512 – © 2010 SANS
Online banking is safe because of security questions
• It is likely that you mentioned the name of your pet on Facebook
• They usually only ask the security questions if you do not have a bank cookie
![Page 9: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/9.jpg)
9
Management 512 – © 2010 SANS
Online Banking Tips
• eTrade uses an RSA dongle, therefore it is my primary account
• Get your paycheck deposited into one bank account and do not use that account for ANYTHING other than paying bills
• Have a max of one bank where you have a debit card
Management 512 – © 2010 SANS
As long as they don’t go to porn sites web surfing is harmless
• Surfing the web is probably the most dangerous thing you do using a computer
• NoScript Firefox, with Internet Explorer I have Flash disabled, try that and see how many web sites fail
![Page 10: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/10.jpg)
10
Management 512 – © 2010 SANS
I run Microsoft Update so I am pretty good, yeah?
• Actually, the odds are we have expired, end of life and out of date needing patches 3rd party applications
• I run Secunia PSI 2.0+ to try to manage this
Management 512 – © 2010 SANS
You should never put more than one service on a server
• This was one of the lessons of the Morris Worm – 1988, if the server goes down, you lose multiple services
• Today, we have blades hosting hundreds of servers, however tools like VMotion may be able minimize the risk
• State of Virginia went down for IT August 2010 for about a week
![Page 11: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/11.jpg)
11
Management 512 – © 2010 SANS
OK, so what?
Stephen, you have shared some facts, some I knew, some I didn’t, some I need to research further, but what is
the point?
Management 512 – © 2010 SANS
Future Shock Revisited
• 1970 – we are headed for a time of increasing change, people who can adapt will prosper, others . . .
• Coined the term “information overload” which no one uses anymore even though they are overloaded
• Concept of knowledge worker, who can work from anywhere (Aloha y’all)
![Page 12: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/12.jpg)
12
Management 512 – © 2010 SANS
So, everything we know isn’t wrong, it is just changing
Let’s talk about proven strategy to stay effective during times of change
Management 512 – © 2010 SANS
Business “clue” during times of extreme change
• Situational awareness, get in the information stream, be alert for what you can measure
• Know what is “evergreen”, adapting to continue to deliver revenue as times change and protect that above all
• Don’t change anything that is working, save your energy for things that are not working well
![Page 13: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/13.jpg)
13
Management 512 – © 2010 SANS
Security “clue” during times of extreme change
• Threatpost
• ISC.SANS.ORG – hey, it looks a lot more like English than it used to
• SANS NewsBites
• Scan Searchsecurity.techtarget.com
• At least once a month, really dig into to a vulnerability or attack
Management 512 – © 2010 SANS
Don’t force yourself or your smart techie to try to figure it all out
• Use templates for system configuration www.cisecurity.org
• Leverage the 20 Critical Controls, especially the quick wins and automated controls
![Page 14: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/14.jpg)
14
Management 512 – © 2010 SANS
Managing “across”, managing peers
• Keep in mind that extreme change is and has been a fact of life in security for a long time, your peers in other areas of the business may not be as used to it as you are, give them some grace and time to adapt
• Also, not everyone needs to be a technologist; a good business operator brings in more money than a technologist 99 times out of 100
Management 512 – © 2010 SANS
Managing the Boss
• Senior managers tend to be a little older and less flexible
• Make sure to add value to the organization and then hold your ground *in private*
• A compliment every once in a while doesn’t hurt
• Practice giving accurate, but simple and short explanations about technology
• Avoid FUD, that is so 1970s
![Page 15: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/15.jpg)
15
Management 512 – © 2010 SANS
Managing Direct Reports
• The two keys are capability and consistency, make sure the same boss shows up every day, push to improve capability
• Communication – if something does not get done, first check to see if your direction was clear
• Follow up, when you give direction set a calendar tickler
Management 512 – © 2010 SANS
Challenge Yourself
• Meetings, whitepapers, policy are all important
• But don’t get so busy that you don’t actually play with a tool every once in a while
![Page 16: Emerging Threats](https://reader031.vdocuments.mx/reader031/viewer/2022022401/546c2203b4af9f6b2c8b4f00/html5/thumbnails/16.jpg)
16
Management 512 – © 2010 SANS
12 Laws of IT Power
• They can’t easily fire you if you are the best
• Never speak to management in hex
• At any given time know what the best selling security books are
• If you help people learn what you know, they will help you get the work done
• Bet on people and bet large
• Be flexible - as long as you have oxygen, power, water and propellant, you have options
• No sensible organization wants to mess with a rainmaker
• Avoid unplanned requests for money
• Be positive
• Teaming, the person next to you knows something you don’t
• Push back
• When opportunity knocks, be prepared to take advantage of the moment
Management 512 – © 2010 SANS
Parting Thoughts
• Nobody becomes effective or irrelevant in a day, either is the result of thousands of choices
• We all have the same amount of time: avoid timewasters, seek timesavers, consider giving up a low value task to pursue a high value task
• Decide what you want to accomplish, the steps to get there, share it with a friend who will hold you accountable, use written reminders until the steps become habits and then disciplines