J Wolfgang Goerlich's thoughts on Information Security
Attacking hypervisors without exploits

By wolfgang. 3 January 2014 16:58

The OpenSSL website was defaced this past Sunday. (Click here to see a screenshot from @DaveAtErrata on Twitter.) On Wednesday, OpenSSL released an announcement that read: "Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration." The announcement led to speculation that a hypervisor software exploit was being used in the wild.

Exploiting hypervisors, the foundation of infrastructure cloud computing, would be a big deal. To date, most attacks in the public cloud are pretty much the same as the traditional data center. People make the same sort of mistakes and missteps, regardless of hosting environment. A good place to study this is the Alert Logic State of Cloud Security Report, which concludes "It’s not that the cloud is inherently secure or insecure. It’s really about the quality of management applied to any IT environment."

Some quick checking showed OpenSSL to be hosted by SpaceNet AG, which runs VMware vCloud off of HP Virtual Connect with NetApp and Hitachi storage. It was not long before VMware issued a clarification.

VMware: "We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.” OpenSSL then clarified: "Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server."

No hypervisor exploit, no big deal. Right? Wrong.

Our security controls are built around owning the operating system and hardware.  See, for example, the classic 10 Immutable Laws of Security. "Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." Hypervisor access lets the bad guy do both. It was just one wrong password choice. It was just one wrong networking choice for the management console. But it was game over for OpenSSL, and potentially any other customer hosted on that vCloud.

It does not take a software exploit to lead to a breach. Moreover, the absence of exploits is not the absence of lessons to be learned. Josh Little (@zombietango), a pentester who I work with, has long said "exploits are for amateurs". When Josh carried out an assignment on a VMware shop recently, it was using a situation very much like the one at SpaceNet AG: he hopped onto the hypervisor management console. The point is to get in quickly, quietly, and easily. The technique is about finding the path of least resistance. 

Leveraging architectural decisions and administration sloppiness is valid attack technique. Scale and automation, that is what changes with cloud computing. It is this change that magnifies otherwise small mistakes by IT operations and makes compromises like OpenSSL possible. Low quality IT management becomes even worse.

And cloud computing's magnification effect on security is a big deal.


Security | Virtualization

Happy New Year 2014

By wolfgang. 1 January 2014 15:19

TLDR: 2013 rocked and 2014 will be even better.

My 2013 resolution was "Read less, do more." Do more, I did. Let’s recap.

Software development. I added new channels to the #incog library and rewrote it as a PowerShell module, which I released at a talk at Source Boston and taught at a workshop at Eastern Michigan University. I contributed to the PowerShell Security or PoshSec project, which I presented on with the project lead’s Matt Johnson, and this became one of the most popular talks on the #misec YouTube channel. I also contributed to a variety of side projects with Charles Green of SimplyCubed.

Systems engineering. My DevOps team at Munder Capital architected and designed a new private cloud infrastructure that offers significantly higher performance and security than public cloud, at a lower price point. I presented on both the design and on my team leadership at CIO Symposiums in Grand Rapids and Sioux Falls. I left Munder in August, confident in my team’s ability to execute on the vision. 

Cyber security. I joined VioPoint as the VP of Consulting in August, and I have been building out the security team and the new Security Operations Center. Collaborating with MiSec, we began working on a threat modeling approach. It is a unique model in that it encompasses communication, threat intelligence, mitigating controls, and security exercises. We have since presented at this approach at a number of conferences and taught it at a workshop, and are working on a whitepaper.

This brings us to 2014, where my resolution is growth. Growth for my MiSec community. Growth for my VioPoint team. Growth for me, personally and professionally. We have expanded the MiSec monthly meeting space and we will be launching a new conference this summer. I will be adding several more talented folks to my VioPoint team, and expanding our security monitoring and testing services. You can expect to see me engaging more with the security community and being a bit more out in front than I have been in years past. It is time to take it up a notch.

As always, thank you for reading and joining me. Let's roll.



December 2013 wrap-up

By wolfgang. 27 December 2013 16:09

Quick round-up of things that has been happening:

We competed in the RuCTFe event last weekend. David Schwartzberg from Barracuda has a write-up: Moar Security War Games. "The team of ethical hackers is called MiSec, short for Michigan Security, and were testing their metal against 173 teams spread across the planet. The team captain, Wolfgang Goerlich, asked if I would join the MiSec team to deploy a Barracuda Web Application Firewall (WAF) and Barracuda NG Firewall in front of a highly vulnerable Linux server."

VioPoint continues to grow and we are in the final stages of build a new Security Operations Center. Metromode did a brief piece: VioPoint doubles space and adds jobs in Auburn Hills. "If timing is everything, then the leadership team at VioPoint thinks it has the right ingredients for a significant growth spurt. 'We have the right people and the right services and we're going at the market at the right time,' says Wolfgang Goerlich."

BSides Columbus accepted a talk from Mark Kikta and me: Rapid Fire Threat Modeling. Everyone is talking about threat modeling. But when you get down to it, few are doing threat modeling. The reasons are simple: modeling can be complicated, there is conflicting information, and it is not clear what to do with the finished model. This session presents a pragmatic threat modeling exercise that can be accomplished in an afternoon. We will review how to find sources for threat models, communicating the findings, auditing and assessing the available controls, and driving change within the organization. In sum, this talk presents a practical approach to rapidly getting the most from threat modeling. (January 20, 2014. Columbus, OH)

ConFoo accepted my software development lifecycle talk: SDLC in Hostile Environments. What happens when end-users have the motive, opportunity, and skillset to attack our software? When two hacker conferences hosted a six week capture-the-flag contest, organizers learned first-hand how this impacts the software development life cycle (SDLC). We will discuss wins and losses, successes and failures, and hard lessons learned. (February 24 - February 28, 2014. Montreal, Canada)



MiSec events in December

By wolfgang. 9 December 2013 07:44

The next two weeks are packed with MiSec goodness. I thought it best to do a roll-up blog post, rather than my normal Tweet shout-outs. 

Concise Courses: Wednesday, December 11th, 12pm
FedRAMP: How the Feds Plan to Manage Cloud Security Risks
Presented by: Steven Fox (@securelexicon)
Online here: http://www.concise-courses.com/cloud/20121212/

North Oakland ISSA: Wednesday, December 11th, 6pm to 8pm
Practical Threat Modeling
Presented by: Wolfgang Goerlich (@jwgoerlich) and Mark "Belt" Kikta (@B31tf4c3)
Baker College
1500 University Drive
Auburn Hills MI 48326 

OWASP Detroit: Thursday, December 12th, 7pm to 9 pm
Susie the Useful SOC Puppet: A blue-team bedtime story.
Presented by: Jeremy Nielson (@jeremynielson)
First Center Building
26911 Northwestern Highway
Southfield, MI 48033

RuCTFe: Saturday, December 14th, 5am to2 pm
Online Technologies Corporation (OTC) of Ann Arbor
5430 Data Court, Ann Arbor, MI 48108

Holiday dinner: Wednesday, December 18, from 7 pm to 10 pm
Rochester Mills Beer Co
400 Water Street
Rochester, MI 48307
Tickets here: http://www.eventbrite.com/e/misec-holiday-dinner-tickets-9635260323


Out and About

Friday Books and Talks 12/06/2013

By wolfgang. 6 December 2013 18:52

Here are some of the books and talks that I enjoyed this week, in no particular order.

Your Survival Instinct Is Killing You
Retrain Your Brain to Conquer Fear, Make Better Decisions, and Thrive in the 21st Century
by Marc Schoen

"Thanks to technology, we live in a world that’s much more comfortable than ever before. But here’s the paradox: our tolerance for discomfort is at an all-time low. And as we wrestle with a sinking “discomfort threshold,” we increasingly find ourselves at the mercy of our primitive instincts and reactions that can perpetuate disease, dysfunction, and impair performance and decision making."

"Your Survival Is Killing You can transform the way you live. Provocative, eye-opening, and surprisingly practical with its gallery of strategies and ideas, this book will show you how to build up your “instinctual muscles” for successfully managing discomfort while taming your overly reactive Survival Instinct. You will learn that the management of discomfort is the single most important skill for the twenty-first century. This book is, at its heart, a modern guide to survival."

Differentiate or Die
Survival in Our Era of Killer Competition
by Jack Trout

"In today's ultra-competitive world, the average supermarket has 40,000 brand items on its shelves. Car shoppers can wander through the showrooms of over twenty automobile makers. For marketers, differentiating products today is more challenging than at any time in history yet it remains at the heart of successful marketing. More importantly, it remains the key to a company's survival."

"In Differentiate or Die, bestselling author Jack Trout doesn't beat around the bush. He takes marketers to task for taking the easy route too often, employing high-tech razzle-dazzle and sleight of hand when they should be working to discover and market their product's uniquely valuable qualities. He examines successful differentiation initiatives from giants like Dell Computer, Southwest Airlines, and Wal-Mart to smaller success stories like Streit's Matzoh and Connecticut's tiny Trinity College to determine why some marketers succeed at differentiating themselves while others struggle and fail."


Why Leaders Eat Last
By Simon Sinek

"In this in-depth talk, ethnographer and leadership expert Simon Sinek reveals the hidden dynamics that inspire leadership and trust. In biological terms, leaders get the first pick of food and other spoils, but at a cost. When danger is present, the group expects the leader to mitigate all threats even at the expense of their personal well-being. Understanding this deep-seated expectation is the key difference between someone who is just an 'authority' versus a true 'leader.'"



Risk management circa 2018

By wolfgang. 5 December 2013 18:11

This past Tuesday, I was out at Eastern Michigan University speaking with information assurance students. The prof invited me to visit his Risk-Vulnerability Analysis class and asked that I give my Practical Risk Management talk.

Practical Risk Management was a talk I had given widely in 2007-2008, describing my efforts to stand up a risk management practice for a financial services firm. The case study covers aspects that I found went surprisingly well, and aspects that I found were surprisingly hard. Since five or six years had passed, I had expected to have to significantly revise the slide deck. Clearly, lots has changed, right?

Surprisingly, no.

The areas we wrestled with last decade remain challenging for clients and organizations today. I found little had changed. On the bright side, that fact simplified my revisions to the slide deck for Eastern Michigan University. On the down side, of course, that means we continue to struggle.

Why? In part, it is because of the seductive simplicity of the Risk = Asset * Vulnerability * Threat formula. Find the values, plug them in, multiply, and prioritize. Easy, right?

Easy, except asset management and valuation is tricky. Few organizations have a reliable hardware and software inventory. Fewer still have automated audits and the ability to see, immediately, when the inventory changes. This matters as such changes are often an indicator of compromise. Few organizations, too, can tie assets to business processes and provide financial valuation on impact. The question of what we have and why it matters is elusive.

And vulnerability management? Putting the dependency on an accurate asset inventory aside, vulnerability management is not quite a slam dunk either. True, software such as Qualys takes the grunt work out of the process. Automation can also shift from annual assessments to continuous vulnerability assessments. Yet the real difficulty in vulnerability management continues to be driving the remediation efforts. Thus we see many vulnerability management programs with tens of thousands of open vulnerabilities.

Threat management has made some progress. In 2008, my chief concern was a lack of threat intelligence and information on what actual attackers were using to achieve actual objectives. Today, we have better information sharing (ISACs, CERTs). We also have services like Risk I/O that map vulnerabilities to threat intel feeds. Tighter integration goes a long way towards prioritizing on realistic risks. Nevertheless, as evidenced by penetration test results, the gaps in asset and vulnerability management, combined with control weaknesses and architectural security concerns, offer the motivated threat actor a variety of ways to compromise an organization.

Five years of time, with not much progress to show for it. This has me saving a copy of my slide deck to give again in 2018.

What changes can we make to obsolete my Practical Risk Management talk? Simple. We can beef up and automate asset management. We can shift from the technical aspects of vulnerability management to the social aspects, facilitating remediation efforts with other departments. Finally, we can more tightly integrate threat intel with vulnerability management and begin doing regular red team assessments to identify architectural and control concerns. In three broad strokes, we can make a dent technical aspects of risk management and enable us to get out of the weeds.

Asset management. Vulnerability management. Threat management. Three areas, three programs, three ways to make a significant difference between now and 2018. The clock is ticking. Let’s get this done.


Risk Management

Friday Books and Talks 11/22/2013

By wolfgang. 22 November 2013 18:27

Here are some of the books that I enjoyed this week.

Working Relationships
by Bob Wall

"From C-level executives to front-line supervisors, the research is clear: emotional competencies are more important than training, IQ, and technical experience in determining who succeeds and fails at work. Into this exciting business arena, the revised and expanded edition of Working Relationships takes its rightful place as a classic toolkit for mastering the personal characteristics and social abilities of emotional intelligence (EQ), with new contributions that include two chapters focused exclusively in the power of EQ to influence success regardless of job type, level of education, or scope of responsibility."

Leading So People Will Follow
by Erika Andersen

"Leading So People Will Follow explores the six leadership characteristics that inspire followers to fully support their leaders. Using Erika Andersen’s proven framework, new leaders and veterans alike have increased their capacity for leading in a way that creates loyalty, commitment and results. Step by step, Andersen lays out six key attributes (far-sightedness, passion, courage, wisdom, generosity, and trustworthiness) and gives leaders the tools for developing them. This innovative book offers a practical guide for building the skills to become a truly 'followable' leader."



Friday Books and Talks 11/15/2013

By wolfgang. 15 November 2013 05:02

Here are some of the books and talks that I enjoyed this week, in no particular order.

The Art of Explanation: Making your Ideas, Products, and Services Easier to Understand
by Lee LeFever

"You've done the hard work. Your product or service works beautifully - but something is missing. People just don't see the big idea - and it's keeping you from being successful. Your idea has an explanation problem."

"The Art of Explanation is for business people, educators and influencers who want to improve their explanation skills and start solving explanation problems."

"Author Lee LeFever is the founder of Common Craft, a company known around the world for making complex ideas easy to understand through short animated videos. He is your guide to helping audiences fall in love with your ideas, products or services through better explanations in any medium."

By Arthur Benjamin

"Math is logical, functional and just ... awesome. Mathemagician Arthur Benjamin explores hidden properties of that weird and wonderful set of numbers, the Fibonacci series. (And reminds you that mathematics can be inspiring, too!). Using daring displays of algorithmic trickery, lightning calculator and number wizard Arthur Benjamin mesmerizes audiences with mathematical mystery and beauty."

By Abha Dawesar

"One year ago, Abha Dawesar was living in blacked-out Manhattan post-Sandy, scrounging for power to connect. As a novelist, she was struck by this metaphor: Have our lives now become fixated on the drive to digitally connect, while we miss out on what's real?"



Why You Should Work in Information Security

By wolfgang. 13 November 2013 08:19

Rasmussen College reached out for advice on why information security is a great field to be in. My response is below. Click through to read more thoughts.

Expert Advice on Why You Should Work in Information Security ... NOW

1. Working in information security is exciting, challenging and never-ending

"Information security is new unexplored territory ... and this creates exciting and challenging work," says J. Wolfgang Goerlich, vice president of consulting at VioPoint.

Information security professionals work on teams to develop tactics that will help find and solve unauthorized access as well as potential data breaches. A crucial part of the job in information security is keeping companies from having to deal with unwanted exposure.

The best information security teams, Goerlich says, are those that provide "consistent mentoring and cross-training." He says professionals in this field must be constantly learning and sharing what they know.

"As the technology is shifting and the attacks are morphing, the career effectively is one of life-long learning," Goerlich says.



Friday Books and Talks 11/08/2013

By wolfgang. 8 November 2013 19:54

Here are some of the books and talks that I enjoyed this week, in no particular order.

Getting More: How to Negotiate to Achieve Your Goals in the Real World
by Stuart Diamond

"Based on more than 20 years of research and practice among 30,000 people in 45 countries, Getting More concludes that finding and valuing the other party’s emotions and perceptions creates far more value than the conventional wisdom of power and logic. It is intended to provide better agreements for everyone no matter what they negotiate – from jobs to kids to billion dollar deals to shopping."

"The book, a New York Times bestseller and #1 Wall Street Journal business best seller, is based on Professor Stuart Diamond’s award-winning course at the Wharton Business School, where the course has been the most popular over 13 years. It challenges the conventional wisdom on every page, from “win-win” to BATNA to rationality to the use of power. Companies have made billions of dollars so far using his new model and parents have gotten their 4-year-olds to willingly brush their teeth and go to bed."

TED: Architecture at home in its community
By Xavier Vilalta

"When TED Fellow Xavier Vilalta was commissioned to create a multistory shopping mall in Addis Ababa, he panicked. Other centers represented everything he hated about contemporary architecture: wasteful, glass towers requiring tons of energy whose design had absolutely nothing to do with Africa. In this charming talk, Vilalta shows how he champions an alternative approach: to harness nature, reference design tradition and create beautiful, modern, iconic buildings fit for a community."



    Log in