Xkcd is the QED of our industry. Want proof? Check out Randall Munroe's comic on Password Strength.

Longer phrases trump mixed up passwords every time. "Correcthorsebatterystaple" will take significantly longer to crack than, say, "p@ssw0rd". Given this, you might wonder why the industry has not changed to longer phrases. I blame the vendors. There are a number of apps that I support and websites that I visit that still limit passwords to 14 characters. Moreover, many explicitly for prevent special characters. Software support is a problem.

There are other problems, too. See today's Dark Reading article for the pros and cons of using phrases.

Dark Reading: Passphrases A Viable Alternative To Passwords?

There is a wish among some enterprise users that they could institute phrases, but they're experiencing a technology lag within the software and identity management worlds that stymies the urge.

"One reason (organizations don't use passphrases) is the number of software applications that do not support long or complex passphrases," says J. Wolfgang Goerlich, Network Operations and Security Manager for a midwest financial services firm. "Length and special characters seem to be a challenge for some vendors. Sometimes referred to as technological debt, many IT departments must maintain a suite of apps that have not been updated with modern security recommendations."

"Want to find out how good someone is? Take away all their tools and say, 'Now do it.'" -- @SecShoggoth

Have you heard of Thomas Thwaite? He took a maker’s approach to toasters. By reverse engineering a £3.99 argo toaster, Thwaite was able to build his own model. He smelted the iron. He melted the plastics. He may have argued with a volleyball named Wilson. I am not sure on that last point. But after nine months and £1187.54, Thwaite had himself a toaster.

A tweet by Tyler Hudak (@SecShoggoth) had me comparing toasters to information technology. Just what is a tool? Is it that application you are using? Fine. Let’s rewrite the app to show how good we are. But wait … what about the IDE? Is that a tool? No worries. We will use cat and bang the C code out straight. What about the compiler? What about the language itself? The OS? The computer itself? How about the motherboard and daughter cards? What about ICs? The transistor?

"If you want to make an apple pie from scratch, you must first create the universe." Carl Sagan sums up the slippery slope we ride.

We live in a remix society. We -- in the IT and InfoSec industry -- work on the largest hackable platform in human history. Everything we do depends upon the work of others. Everything we make builds upon the tools of others. Every day we take from and give back to this hackable platform we call modern IT.

We can compare the new generation’s approach to IT as the Nintendo generation. Heck, they just download an app, point-and-click, and done. That’s not IT.

I recall folks lambasting my generation because we had a GUI. Heck, we had keyboards and mice. All we had to do was boot up, point-and-click, and done. That’s not IT. That’s not real computing.

I wager the generation before were heckled because they did not have to use punch cards. And don’t get me started about slackers who use transistors instead of vacuum tubes.

There is a certain rugged nostalgia for folks like Thomas Thwaite. People who toss aside the benefits of society to forge their own way are admirable. Equally admirable, in my opinion, are those who save time and money with clever hacks to the platform. These are folks that excel thru expert use of modern tools.

See, IT has become a team sport. The one man toaster and the lone sysadmin are throw backs. The way forward is mastery of your specific toolset combined with a team of folks equally skilled in complementary tools. Give me a team, tools, £1187.54, and nine months. We will change the world.

Wolfgang

Note this article comes from a discussion on Twitter between @SecShoggoth, @RogueClown, and @LenIsham. @SecShoggoth blogged on expanding your skillsets beyond the tools you are comfortable with here: Tools and News.

Welcome to 2012, and welcome back to my blog. Has the world ended yet? No? Still with us? Yes? Good.

Fifteen years ago, I was building high quality IT systems. Ten years ago, I was building high quality IT platforms. During the past five years, I have been building high quality IT teams.

This blog has evolved over the years along with my role in IT. My original focus in 2002 was on technical tips for Citrix, thin computing, and overall IT security. This shifted into business continuity and risk management in 2007. I focused on network architecture as a path for network security in 2009. Most recently, I have been writing about the management side of the equation.

In 2012, I will dig deeper into team work and team management. How do group dynamics play out in the technology field? What can we do, as a team, to deliver IT solutions with a high degree of quality and security?

I will also be doing more collaboration and group projects. This means more involvement with the #MiSec security group, working with the SE Michigan community to put on the BSides Detroit conference, doing a weekly BSides chat on the Rats and Rogues podcast, and presenting in West Michigan at GrrCon. Further, you can expect a new release of the SimWitty security tool.

Good things are in motion for 2012. Please keep your hands and feet inside at all times, and enjoy the ride.

I am having some fun with DNS and covert channels over the holidays.

At its most simplest, DNS can be used as a text based covert channel. The DNS client sends the message via a CNAME lookup. The DNS server sends a message in response via a CNAME response. By co-opting this process, any character sequence can be sent back and forth.

What if we need to do more? Say, transfer a file? Or even browse the web? The answer here is text encoding.

Most IT folks would jump to the conclusion that the traffic simply needs to be Base64 encoded. There is a slight wrinkle. DNS CNAME queries only support 63 characters: alphabetical lower case, upper case, numeric, and dash (-). Base64 encoding is out.

The next possibility is Base32 encoding. While not often used, it fits within the DNS RFC and therefore works out of the box.

The disadvantages of Base32 over DNS is packet payload size and transmissions. DNS is UDP and, therefore, may suffer from dropped packets. Further, the packets can only be so long.  DNS host names are limited to 255 characters.

Dan Kaminsky came up with an interesting solution to these problems. He essentially tunneled IP over DNS using Base32 encoding. Such protocol layering handles the limitations of UDP. To increase the size, Kaminsky relied on the EDNS0 extension specified in RFC 2671. He released a proof of concept in the form of the OzymanDNS Perl scripts.

As a side note, the name OzymanDNS had me curious. I did some digging. It is a Watchmen comics reference which, in turn, traces back to an Egyptian pharaoh. Nothing says secret writings like comic books and pharoahs.

Anyways, in sum, covert channels over DNS are practical. With some clever protocol manipulation, binary files and even web browsing can be tunneled over DNS.

I have had some great conversations since Raf Los (@Wh1t3Rabbit) posted his podcast Monday. Much of the talk has been around some advantages that we do have.

Down the Rabbithole - Episode 4 - Effective Small Business Security
http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security

First, information security is a scaling problem.

I have a staffing rule of thumb. I have posted it before, but I’ll repeat it. Take the employees, networked devices, and IT support staff. Security is 1 FTE per 1K employees, 1 FTE per 5K devices, or 1 FTE per 20 IT employees. Most security folks that I have talked with fall within this range, whether they work with multi-nationals or mom-and-pop shops.

This applies to my case. I am dedicated 25% to security. I have 250 end users and around a thousand end-points, servers, switches, routers, and firewalls. Luckily we have more than 5 IT folks, but you get the idea.

The scopes of security challenges remain consistent regardless of the scale. But we on the small medium business side do have a few unique opportunities.

Information security pros at the SMB level have advantages.

Reach. There are fewer layers between us and executive management. The board level directives can flow right into our security planning. There are fewer layers between us and line employees. The security controls can flow right into their daily activities. Communications are simpler in smaller organizations.

Flexibility. If you are an army of one, not much time is needed for generalship. Reaction and response can be quicker. Process and procedure can be reduced, in favor of action and implementation. 

Cooperation. Baking security in means getting buy in from the IT operations team, the software development team, the IT engineering folks, the project managers, the business analysts, and IT management. With separate teams, this can mean significant work just to navigate the politics. More time can be spent on implementing and less on negotiating when all the folks are in one team. 

End-to-end. One dedicated InfoSec pro in a company with less than 5K devices can hold the entire network in his mind. Two dedicated FTEs and 10K devices, and you’ll end up naturally dividing the work between each other. Reach 100K devices secured by 20 InfoSec guys, and one person knowing every nut-and-bolt becomes impossible.

A small network can be a very secure network.

Security flaws come from the people creating the security controls in a vacuum with no relation to the organization’s mission. Security flaws come from people working on the front lines, with no ideas of the control environment. Flaws come from projects without security tasks, from systems that go-live without security review, and from bolted-on security features. Flaws and weaknesses crop up in the gaps of responsibility between teams, and between people.

A security pro in a small medium business is in a position to make a significant contribution to their organization.

"Do you think a team of one person has already lost the battle? Straight out of the gate? Does he stand a chance? Does the individual even have a chance?" -- Michael Allen (@_Dark_Knight_)


Have we lost the battle? On the one hand, we say that it is not if a breach will occur, but when. On the other hand, we say that we are all one breach away from unemployment. What does this tell us about the InfoSec field?

We need a seat at the table.

Most of us got into security back when, if you knew how to set the pins on the modem and knew how to type up firewall rules in a text editor, our users thought we were rockstars. They depended upon us. And we, in turn, depended upon their dependence in order to keep things running securely.

That is no longer the case. People today are more tech savvy and more willing to Google it for themselves. A slew of new companies, with buzz words from cloud to IT consumerization, enable the users doing just that. People do not depend on us any more.

Perhaps we became too dependent on their dependence. We no longer get a seat at the table. We no longer have a free pass. We no longer get included in discussions on new technology. And then we become concerned about all the technology being deployed in our organizations without proper security review and controls.

We must earn a seat at the table.

The #SecBiz thread on Twitter represents a search for earning that seat. #SecBiz shifts our focus away from securing technology and towards securing businesses. Less modems and firewalls, more business initiatives and processes.

Raf Los (@Wh1t3Rabbit) has been on the vanguard of this change. From his blog, from his presentations at B-Sides Detroit and everywhere else, and from his podcast, Raf has been driving home the point. This week, Michael Allen and I were guests on his "Down the Rabbithole" podcast. The topic being information security in the SMB space. We had a fantastic conversation about what security means today.

Are you wondering how to get a seat at the table? Feeling like you have already lost the battle? Spend some time following the Wh1t3Rabbit.

Down the Rabbithole - Episode 4 - Effective Small Business Security
http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security

You might say that InfoSec risk management is effectively asset management, threat management, and vulnerability management. What do we have? Who would want to attack it? And what attack vector would they use? The prioritization of fixing or mitigating the vulnerabilities is based on business impact. That is, a measure of how such an attack would affect an employee's productivity and an organization's mission. The following article gives a good overview of the vulnerability side of the process.

Remediating IT vulnerabilities: Quick hits for risk prioritization
http://searchsecurity.techtarget.com/tip/Remediating-IT-vulnerabilities-Quick-hits-for-risk-prioritization

Use multiple information sources. As J. Wolfgang Goerlich, network operations and security manager for a mid-sized money management firm told me, he looks for reports that provide "solid information regarding what the threats are and at what frequency they’re occurring."

To keep the fix process focused and effective, know your environment and business impact, create meaningful metrics that take into account public and private ratings, and stay on plan with preset time-to-fix periods.

This article is also on my Press Mentions page.

Let's put politics aside for the moment and focus in on why so many organization's label their attacks as being sophisticated. What makes an attack appear to be advanced and persistent?

It truly is all about appearances. We have years of data now from threat reports such as Microsoft's and Verizon's. The reports continue, year after year, to show the same basic truth. Most attacks were due to relatively simple things, like misconfigurations or missing patches. Most attacks are not discovered for weeks to months. When discovered, they are cleaned up in a relatively straightforward process. If that is the case, then why would an attack appear advanced?

It is the law of uphill analysis and downhill invention. Valentino Braitenberg coined the phrase in his book Vehicles. The law is one of the reasons an attacker has an asymmetrical advantage over a defender. Like going downhill versus going uphill, it is much easier to implement something in technology than it is to figure out what happened based on the result.

Things generally seem more complicated at first. Think of any recent troubleshooting incident. Pick a particularly stressful situation. Your team is calling you with updates. Your management is calling you for updates. Other business units are calling you to stress the importance of a quick resolution. Your management's management is calling you to check in. With all that distraction, you are trying to piece together what has happened.

Did it seem particularly challenging event? Did it seem almost insurmountable? And yet, I wager, the root cause was something simple. When all was said and done, when the fog cleared, when all the facts were at hand, the problems turned out to be sequence of simple events. Such problems usually are.

The law of uphill analysis and downhill invention is at work in security incidents. More so, too, because here the attacker is actively working to subvert your investigation. Sure, it was just a spearphishing email that planted a backdoor on the network. But at the time, to the people inside, all they knew was that the attacker was seemingly everywhere inside the perimeter at once. It takes quite a bit of time, training, and effort to work backwards.

What do I hear when someone says it was an advanced persistent threat? It was persistent because it took the organization a long time to detect the attack. It was advanced because it took the security team a lot of effort to figure out what the attacker did. The threat is in over exaggerating what it take to defend a network.

Whenever a breach occurs these days, the organization’s management is quick to call it a sophisticated attack. The media’s quick to jump on the Advanced Persistent Threat or APT bandwagon. Then, sooner or later, news leaks that the attack was actually something quite trivial pulled off by regular people.

Take the Comodo attack. The founder is on record as saying "This [attack] was extremely sophisticated and critically executed. It was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate."

Moxie Marlinspike relayed at BlackHat and GrrCon what he learned about the attacker. Turns out the guy surfed into www.thoughtcrime.org and downloaded sslsnif after the breach. Where did the attacker come from? Hak5.

Moxie Marlinspike: "On the one hand, we have the CEO of Comodo. Very well orchestrated. Clinical. Maybe this video was really good. Maybe it turned them into clinical attackers. But, from what I see, on the one hand we have the CEO’s statements and on the other hand we have someone who is literally following video tutorials on the Internet."

Where is the disconnect? The cynical answer is that it is politically expedient to label attacks "sophisticated". Bonus points if you can link the attack to foreign nations. If the attack can be grouped under force majeure, well, who can defend against that? And who can blame the company for falling prey?

That's the cynical answer. Tomorrow, I will share a more pragmatic reason.

For now, I will give the last word to Jack Daniel. "Every breach is sophisticated, just like everyone is special."

There is no patch for stupidity. L-users. Pebcak: problem exists between chair and keyboard. ID10T error. We had everything secure, but then we had to let the users on. We have all heard the jokes.

The problem is that this mindset sets us up against the users.

Corporate security teams need less "I fight the users" and more "I fight for the users". Yes, I am quoting Tron. Here’s a clip with the iconic line:

Tron: Legacy clip on YouTube
http://www.youtube.com/watch?v=vGG5vwH7mm4&t=0m52s

Security teams protect the organization’s mission and profitability. That fundamentally means protecting a user’s productivity. Protecting IT systems is secondary. That is a bit of a mindset shift, I know, but bear with me.

What does it mean to fight for the users? It means viewing IT security breaches in the perspective of the impact to the business's mission. It means viewing IT security controls in the perspective of the impact on user’s productivity. Fighting for the users is central to business-centric risk management.