Emerging Threats


Published on

Strong cryptography done correctly can’t be defeated! Wrong, a practical attack was published in 2009 against 10 round AES 256, quantum key distribution proved to be flawed in May 2010. You have to have anti-virus! Well, fine, but it no longer works in a world that generates 30k new variations of malware some days. You should never have more than one service on a server. What about blades and virtualization? Data centers must have raised floors; funny, ours uses risers instead. If you are writing software, put all of your housekeeping such as getting file handles of input and opening scratch files in one function; because if those fail, your program will fail, and this way you can exit with a nice tidy error message. Of course, that introduces a number of TOC/TOU race conditions. If you are registering a domain name, be sure to also get the .net and .org ones to prevent people from using your brand. Okay, what about all the other domain extensions and country codes? The Blackberry is the only PDA that truly has enterprise class management tools and a securable configuration. Hmmm, we read about organizations switching to the iPhone all the time, Apple must have done something right.

I have been a security researcher for seventeen years and even though I spend a part of almost every week researching new stuff, I have to be aware that much of what used to be the basic blocking and tackling of information security just doesn’t work, isn’t relevant, or may even be dangerous today. This talk will not just be about what was once true and is no longer; it will be a discussion of how to lead when much of the information flow you are receiving is suspect, as well as where we appear to be heading in the future (and I will make every effort to avoid using the terms cloud and Advanced Persistent Threat.)

Stephen Northcutt, SANS Faculty Fellow

Stephen Northcutt founded the GIAC certification and currently serves as president of the SANS Technology Institute, a postgraduate level IT security college (www.sans.edu). Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of chief for information warfare at the Ballistic Missile Defense Organization. Stephen is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer.

Since 2007 Stephen has conducted over 34 in-depth interviews with leaders in the security industry, from CEOs of security product companies to the most well-known practitioners in order to research the competencies required to be a successful leader in the security field. He maintains the SANS Leadership Laboratory, where research on these competencies is posted as well as SANS Security Musings. He is the lead author for ExecuBytes, a monthly newsletter that covers both technical and pragmatic information for security managers. He leads the Management 512 Alumni forum, where hundreds of security managers post questions. He is the lead author/instructor for Management 512: SANS Security Leadership Essentials for Managers, a prep course for the GSLC certification that meets all levels of requirements for DoD Security Managers per DoD 8570, and he also is the lead author/instructor for Management 421: SANS Leadership and Management Competencies. Stephen also blogs at the SANS Security Leadership blog.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Emerging Threats

  1. 1. 1 Management 512 – © 2010 SANS Everything I know is wrong! How to lead a security team in a time of unprecedented change and challenge Management 512 – © 2010 SANS This is NOT a New Problem
  2. 2. 2 Management 512 – © 2010 SANS 1943: A world market for maybe five computers Management 512 – © 2010 SANS 1981: No one will ever need more than 640k
  3. 3. 3 Management 512 – © 2010 SANS 1995: Internet will never take off Management 512 – © 2010 SANS Some Specific Examples “A man doesn't know what he knows until he knows what he doesn't know.” Dr. Laurence Peters
  4. 4. 4 Management 512 – © 2010 SANS .pdfs are the safe attachment • Don’t send .docs that might transmit a virus, send a .pdf, it is “just” a print file • Today, about 1/2 of malware infections originate from Flash and Reader http://www.itpro.co.uk/622522/adobe-reader-and-ie-feel-brunt-of-web-based-malware • Doesn’t solve everything but I am loving Gpdf for Firefox and Chrome Management 512 – © 2010 SANS Computers are made from CPU, MMU and possibly GPU • Computers are made from a number of subsystems, many of which have own processor and memory that are not under direct control of OS • June 2010 Bigfoot released an NIC with its own GPU • And then, there is the baseboard management controller
  5. 5. 5 Management 512 – © 2010 SANS Hot site is the Cadillac of Disaster Recovery • Hot site means equipment/network is available and configured • However, today’s environments are so complex, that doesn’t work well; too many changes too fast. VMWare Site Recovery Manager has a much better chance of actually working. Management 512 – © 2010 SANS Or maybe alternate sites • Paul Volcker as the Fed, argued for redundant sites, database replication, geographic diversity • How geographically diverse? Think EMP http://www.newsmax.com/RonaldKessler/emp-electromagneticpulse-William-Graham/2010/04/05/id/354742
  6. 6. 6 Management 512 – © 2010 SANS If you encrypt it with AES it will be safe for 1000 years • 2009, Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, describe an attack against 10 round AES 256 that is fully practical • 14 rounds is NIST standard so don’t panic yet • Historical note, DES was still in common use when it could be cracked in near real time Management 512 – © 2010 SANS You have to have anti-virus • Is the prevailing wisdom and it has made its way to the auditor’s checklists • 30k new malware per day from automated systems, AV is 90% effective at best and usually far lower • What we have to have is endpoint white list technology, and it is a pain
  7. 7. 7 Management 512 – © 2010 SANS Incident Response isn’t that hard • In the past this was the domain of the Help desk and primary tool was a “cleaning kit” • Today, you find you need an outside specialist in response/forensics/ investigation/malware who bills at $330.00 hour door-to-door Management 512 – © 2010 SANS When you register a domain get the .net and .org as well • Yeah, and every country code and domain suffix?
  8. 8. 8 Management 512 – © 2010 SANS When you code, do all your housekeeping at one time • Get your file handles to input files, scratch files, output files all in the same function, so if you can’t do your I/O you exit with a nice error message • But, this allows a difference between TCO/TOU which opens the door for race conditions Management 512 – © 2010 SANS Online banking is safe because of security questions • It is likely that you mentioned the name of your pet on Facebook • They usually only ask the security questions if you do not have a bank cookie
  9. 9. 9 Management 512 – © 2010 SANS Online Banking Tips • eTrade uses an RSA dongle, therefore it is my primary account • Get your paycheck deposited into one bank account and do not use that account for ANYTHING other than paying bills • Have a max of one bank where you have a debit card Management 512 – © 2010 SANS As long as they don’t go to porn sites web surfing is harmless • Surfing the web is probably the most dangerous thing you do using a computer • NoScript Firefox, with Internet Explorer I have Flash disabled, try that and see how many web sites fail
  10. 10. 10 Management 512 – © 2010 SANS I run Microsoft Update so I am pretty good, yeah? • Actually, the odds are we have expired, end of life and out of date needing patches 3rd party applications • I run Secunia PSI 2.0+ to try to manage this Management 512 – © 2010 SANS You should never put more than one service on a server • This was one of the lessons of the Morris Worm – 1988, if the server goes down, you lose multiple services • Today, we have blades hosting hundreds of servers, however tools like VMotion may be able minimize the risk • State of Virginia went down for IT August 2010 for about a week
  11. 11. 11 Management 512 – © 2010 SANS OK, so what? Stephen, you have shared some facts, some I knew, some I didn’t, some I need to research further, but what is the point? Management 512 – © 2010 SANS Future Shock Revisited • 1970 – we are headed for a time of increasing change, people who can adapt will prosper, others . . . • Coined the term “information overload” which no one uses anymore even though they are overloaded • Concept of knowledge worker, who can work from anywhere (Aloha y’all)
  12. 12. 12 Management 512 – © 2010 SANS So, everything we know isn’t wrong, it is just changing Let’s talk about proven strategy to stay effective during times of change Management 512 – © 2010 SANS Business “clue” during times of extreme change • Situational awareness, get in the information stream, be alert for what you can measure • Know what is “evergreen”, adapting to continue to deliver revenue as times change and protect that above all • Don’t change anything that is working, save your energy for things that are not working well
  13. 13. 13 Management 512 – © 2010 SANS Security “clue” during times of extreme change • Threatpost • ISC.SANS.ORG – hey, it looks a lot more like English than it used to • SANS NewsBites • Scan Searchsecurity.techtarget.com • At least once a month, really dig into to a vulnerability or attack Management 512 – © 2010 SANS Don’t force yourself or your smart techie to try to figure it all out • Use templates for system configuration www.cisecurity.org • Leverage the 20 Critical Controls, especially the quick wins and automated controls
  14. 14. 14 Management 512 – © 2010 SANS Managing “across”, managing peers • Keep in mind that extreme change is and has been a fact of life in security for a long time, your peers in other areas of the business may not be as used to it as you are, give them some grace and time to adapt • Also, not everyone needs to be a technologist; a good business operator brings in more money than a technologist 99 times out of 100 Management 512 – © 2010 SANS Managing the Boss • Senior managers tend to be a little older and less flexible • Make sure to add value to the organization and then hold your ground *in private* • A compliment every once in a while doesn’t hurt • Practice giving accurate, but simple and short explanations about technology • Avoid FUD, that is so 1970s
  15. 15. 15 Management 512 – © 2010 SANS Managing Direct Reports • The two keys are capability and consistency, make sure the same boss shows up every day, push to improve capability • Communication – if something does not get done, first check to see if your direction was clear • Follow up, when you give direction set a calendar tickler Management 512 – © 2010 SANS Challenge Yourself • Meetings, whitepapers, policy are all important • But don’t get so busy that you don’t actually play with a tool every once in a while
  16. 16. 16 Management 512 – © 2010 SANS 12 Laws of IT Power • They can’t easily fire you if you are the best • Never speak to management in hex • At any given time know what the best selling security books are • If you help people learn what you know, they will help you get the work done • Bet on people and bet large • Be flexible - as long as you have oxygen, power, water and propellant, you have options • No sensible organization wants to mess with a rainmaker • Avoid unplanned requests for money • Be positive • Teaming, the person next to you knows something you don’t • Push back • When opportunity knocks, be prepared to take advantage of the moment Management 512 – © 2010 SANS Parting Thoughts • Nobody becomes effective or irrelevant in a day, either is the result of thousands of choices • We all have the same amount of time: avoid timewasters, seek timesavers, consider giving up a low value task to pursue a high value task • Decide what you want to accomplish, the steps to get there, share it with a friend who will hold you accountable, use written reminders until the steps become habits and then disciplines