This may very well be true for the manager of a technical focused team, for example, IT shops consisting of 20 IT workers with less than 2 million dollar budget.
In most large IT shops (500 workers plus), the executives mostly deal with budget and decision making, they generally rely on technical managers to advise them of the technical options.
The term "IT boss" is too loosely defined. For technical managers, I couldn't agree more that they need to have a clue about technical stuff. For executives in large IT shops, they have to manage hundreds of millions of dollars budget, so finance, ability to understand and decision making ability is much more important than actual IT skill.
You are correct. We want the infocon to stay at green most of the time and only raise it when necessary. Think about this, if we keep it at yellow all the time, it would eventually lower people's perception of the current threat. Trust me, we do try very hard to only raise it when necessary and appropriately.
I was there playing CTF. This year's focus is definitely very different, unless you can dream assembly, you are not going to be very effective at attacking.
The way they setup the infrastructure also does not allow you to do a whole lot of defense against the attacks.
In terms of this being real-world... Honestly, how many security incidents are caused by hackers reversing the binary which lead to the intrusion? I would say 95% of intrusion are done by script-kiddie method.
I hope they will put more infrastructure related vulnerabilities into the game to make it more interesting. I am not suggesting the lame vulnerabilities that can be detected by Nessus and standard exploit tools but some that requires serious kung-fu to detect and exploit.
All in way, it was a very fun game. I am sure everyone enjoyed it. Congrats to all the winning team, see ya all there next year.
Not really, IPS (Intrusion prevention system) is better for that purpose. Getting your firewall signature tuned by Honeypot would cause too much false alarm. Also, for honeypot (or IDS for that matter) to tune the firewall (to shun a source host) is not exactly effective. In UDP attack, sometimes one packet is required to own the boxen (port 1434 UDP anyone?), getting your IDS to chat with firewall and all other packets are already in your infrastructure.
Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.
For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.
Hong Kong Post office is teaming up with the government to offer the same thing, this has been available for over a year now. Refer to this link.
The Hong Kong Government has recently roll out a renew plan for all citizens to renew their ID card (mandatory, must be on the person at all times). This new ID card is a smart card which also allow storage of digital cert.
Because of this mandatory ID, the cert roll out plan (storage and distribution) is relatively easier than other countries.
Halon DO NOT replace oxygen in the room to extinguish the fire. It breaks the chain reaction of fire, basically stop the elements of fire to react with each other.
Most scenario would only require a less than 8% of concentration to take out the fire. Under 10% and you can still breath.
Problem of Halon is when over 900 degree C, it breaks down into hydrogen fluoride, hydrogen bromide and bromine - stuff that are toxic. So, run!
Depends, if the fire starts inside the NOC then there's a high chance that Halon would extinguish the fire but if the fire started elsewhere then spread to the NOC, most likely the fire suppression systems are not designed to handle that.
Moreover, Halon system are no longer installed (globally) since 1987 (Montreal Protocol) due to its CFC damaging effect. Most systems already installed are replaced by FM-200. Water, Argon, FE-13, Inergen and a few others are all possible replacement.
Common Criteria Certificate basically replaced the rainbow series of certificate. The more familiar one that we know are C2 of Orange book which NT 4 had.
I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
PGP signing is a good way to prevent trojaned software like this case. But I think the process to verify the software is too complicated and not easy for all users to use. Let me ask you this, when is the last time you checked the hash or PGP signature after you download a software?
For most people, never.... It would be great if we have automatic download tools to check signature as well (obviously, we need standard for storing the signature as well)
I would also like to remind everyone having pride in their own IDS that NIDS will never catch every single attack. (At least for the next little while)
Signature based detection is only good if the attack utilize abnormal or unique traffic to exploit the vulnerability. It will not pick out attacks that uses normal common traffic (for obvious reasons).
IDS evasion techniques are also heavily worked on, plus all application level evasive techniques (eg. sidestep). We can just never be totally dependent on the NIDS for telling us intrusion has occured. It works for most attacks but will fail for some.
This article came from the point of view of a normal administrator trying to also manage security. It is mostly based on the assumption that you use the default ruleset (there's no mention of what ruleset is put to use).
Nowadays you really have to be selective about what ruleset you use, logging too much isn't a good thing. This is part of the reason you need a qualified Intrusion analyst who have the expertise to determine which ruleset is useful and which isn't.
The worst thing that can happen (which does happen quite often) is after paying for the expensive distributed sensor IDS system, the logs are never processed or read by anyone.
As stated by the article, an IDS is suppose to log anomalies, that is any abnormal behaviour. But anomalies is only useful if you have a technical guy capable of analysing the traffic. In fact, I would rather have a faulty IDS system that misses packets than to have a good IDS system and all logs go down the drain at the end of the day.
For those of you that are considering the value of security conference, I can tell you from my first hand experience that it is worth every single pennies.
I was at one point of time like many of the readers thinking that I could learn a lot on my own and become an expert on a specific area. But after I went to couple of the security conference and sit in the class taught by some world foremost info security persons, I notice that it's an immediate boost of knowledge for me. Things that would take me a year to learn and try, I learned and experienced it within the few days of the conference.
For those who are going to SANS conference, don't skip the certification part. It really makes you learn a lot. (Highly biased) You would be required to write a paper on a specific area, it's not easy and it would mean practical experience for you (cause you have to do it first hand in order to write the paper).
I work with SANS so I know more about SANS than other organizations.
SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.
Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.
In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)
No, there are many Chinese input methods that utilize the normal qwerty keyboard. Some methods uses the sound of the character which are usually slower. And some uses the composition of the character structure to work (these are usually faster).
It's ignorant to think there's a need to have thousands of keys....
BTW, there's an input method created by Ericsson (I think, correct me if I am wrong). It uses only 9 keys on the phone keypad for input. I have used it and find that it's a little slow but it works and able to type in all characters that I wanted. Works kinda good for such a small device.
And for those of you that are wondering, YES, it takes a few key stroke to make up one character. But it is not slow to represent some meaning on the keyboard. Chinese is regarded as one of the most concise language on the planet. A few keystoke would be compensated by much shorter sentence.
Yes, it has been there for 5 years. But it is until recently that people are starting to compare this smart card with the compulsory ID card that everyone will have to carry. (Yes, even my 75 year old grandmom carry an ID card all the time). And security industry are comparing these two cards for the value in authientication. (Especially physical access control and two factor auth and also PKI).
The card is not new, but the intention to use it for security is definatly news.
I am Canadian. The last time I checked, we still cannot pass through any gate with our bank card 5 inches away and the machine go beeps and we pass through the gate. Nor did our bank card not require us to key in a pin to let the charge transaction goes through.
We are facing some big challenges right now. Due to the crazy growth of computing power (despite the fact that new methods of calculation - factoring large number and stuff are constant being developed) Encryption standard are being obsolete faster than we can adapt to it.
Think about how long the US government will take to adopt AES.... Same encryption are going to get weaker and weaker as times goes by, we have to adapt to the rate it fades out. But apparently, encryption standards takes time to develop and get accepted. We are very likely going to change standards every 5-10 years. Government agencies, are you coming along?
You need CCNA to become CCNP. You need CCDA to become CCDP. CCIE does not require prerequisite, so you can go straight to it without any other certs, but doing it step by step is easier.
In general, CISSP and CISA are more heavy on theory and SANS GIAC are more on practical knowledge (hands-on). Notice that GIAC actually offers many different certs in different area.
They are all hard to get. For example, CISSP requires a 6 hours exams (which isn't easy at all). GIAC requires a practical assignment (to show hands-on knownledge - require real world experience) as well as one or two 2 hours exam.
It seems to me that FreeBSD is more well planned than Linux in terms of project management(This is not Linux bashing). When a development project gets bigger, it takes a lot more planning as a group effort than one man's decision, there maybe something for Linux development team to learn. I agree that it is hard to find the balance because most of us like Linux for some advanced new feature but there's got to be better planning and announcement system to let user know what to expect. I would really appreciate if Linux kernel set stable checkpoint to indicate "This is a stable kernel" instead of 2.4 series trial and error approach.
In a recent bugtraq post, someone mentioned IE also does similar things. If you type a wrong URL and cannot be resolved by the DNS. Your typed address will be sent to MSN for suggesting new URL. If MS logs all these requests, Similar results....
I can't wait till they make it into a hunting jacket with a shell made of material like MT050.
Sometimes when doing late season still hunt for whitetails or moose, tempature can drop to -15 Celcius and with windchill maybe -25C and due to the fact that I am sitting still for 3-4 hours+, my body just do not generate enough heat to warm myself even with the MT050 extreme jackets from Cabelas. It is those occasion where this jacket would come into play. I would buy it even if it is more expensive (which is very likely if they convert it into hunting version)
Slashdot Mirror
This may very well be true for the manager of a technical focused team, for example, IT shops consisting of 20 IT workers with less than 2 million dollar budget.
In most large IT shops (500 workers plus), the executives mostly deal with budget and decision making, they generally rely on technical managers to advise them of the technical options.
The term "IT boss" is too loosely defined. For technical managers, I couldn't agree more that they need to have a clue about technical stuff. For executives in large IT shops, they have to manage hundreds of millions of dollars budget, so finance, ability to understand and decision making ability is much more important than actual IT skill.
One happy customer :-)
You are correct. We want the infocon to stay at green most of the time and only raise it when necessary. Think about this, if we keep it at yellow all the time, it would eventually lower people's perception of the current threat. Trust me, we do try very hard to only raise it when necessary and appropriately.
Disclaimer: I am one of the ISC guys.
I was there playing CTF. This year's focus is definitely very different, unless you can dream assembly, you are not going to be very effective at attacking.
The way they setup the infrastructure also does not allow you to do a whole lot of defense against the attacks.
In terms of this being real-world... Honestly, how many security incidents are caused by hackers reversing the binary which lead to the intrusion? I would say 95% of intrusion are done by script-kiddie method.
I hope they will put more infrastructure related vulnerabilities into the game to make it more interesting. I am not suggesting the lame vulnerabilities that can be detected by Nessus and standard exploit tools but some that requires serious kung-fu to detect and exploit.
All in way, it was a very fun game. I am sure everyone enjoyed it. Congrats to all the winning team, see ya all there next year.
Not really, IPS (Intrusion prevention system) is better for that purpose. Getting your firewall signature tuned by Honeypot would cause too much false alarm. Also, for honeypot (or IDS for that matter) to tune the firewall (to shun a source host) is not exactly effective. In UDP attack, sometimes one packet is required to own the boxen (port 1434 UDP anyone?), getting your IDS to chat with firewall and all other packets are already in your infrastructure.
Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.
For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.
Hong Kong Post office is teaming up with the government to offer the same thing, this has been available for over a year now. Refer to this link.
The Hong Kong Government has recently roll out a renew plan for all citizens to renew their ID card (mandatory, must be on the person at all times). This new ID card is a smart card which also allow storage of digital cert.
Because of this mandatory ID, the cert roll out plan (storage and distribution) is relatively easier than other countries.
Halon DO NOT replace oxygen in the room to extinguish the fire. It breaks the chain reaction of fire, basically stop the elements of fire to react with each other.
Most scenario would only require a less than 8% of concentration to take out the fire. Under 10% and you can still breath.
Problem of Halon is when over 900 degree C, it breaks down into hydrogen fluoride, hydrogen bromide and bromine - stuff that are toxic. So, run!
Depends, if the fire starts inside the NOC then there's a high chance that Halon would extinguish the fire but if the fire started elsewhere then spread to the NOC, most likely the fire suppression systems are not designed to handle that.
Moreover, Halon system are no longer installed (globally) since 1987 (Montreal Protocol) due to its CFC damaging effect. Most systems already installed are replaced by FM-200. Water, Argon, FE-13, Inergen and a few others are all possible replacement.
Common Criteria Certificate basically replaced the rainbow series of certificate. The more familiar one that we know are C2 of Orange book which NT 4 had.
I think the rainbow series was replaced sometime in year 2000. The significance of the common criteria is that it is developed by ISO and is internationally recognized and it not only replace the rainbow series but also the ITSEC (European standard) as well.
PGP signing is a good way to prevent trojaned software like this case. But I think the process to verify the software is too complicated and not easy for all users to use. Let me ask you this, when is the last time you checked the hash or PGP signature after you download a software?
For most people, never.... It would be great if we have automatic download tools to check signature as well (obviously, we need standard for storing the signature as well)
One year after Nimda. We are fighting the Slaper worm. Did anyone say Deja vu?
Wonder what we are going to fight next year.
I would also like to remind everyone having pride in their own IDS that NIDS will never catch every single attack. (At least for the next little while)
Signature based detection is only good if the attack utilize abnormal or unique traffic to exploit the vulnerability. It will not pick out attacks that uses normal common traffic (for obvious reasons).
IDS evasion techniques are also heavily worked on, plus all application level evasive techniques (eg. sidestep). We can just never be totally dependent on the NIDS for telling us intrusion has occured. It works for most attacks but will fail for some.
This article came from the point of view of a normal administrator trying to also manage security. It is mostly based on the assumption that you use the default ruleset (there's no mention of what ruleset is put to use).
Nowadays you really have to be selective about what ruleset you use, logging too much isn't a good thing. This is part of the reason you need a qualified Intrusion analyst who have the expertise to determine which ruleset is useful and which isn't.
The worst thing that can happen (which does happen quite often) is after paying for the expensive distributed sensor IDS system, the logs are never processed or read by anyone.
As stated by the article, an IDS is suppose to log anomalies, that is any abnormal behaviour. But anomalies is only useful if you have a technical guy capable of analysing the traffic. In fact, I would rather have a faulty IDS system that misses packets than to have a good IDS system and all logs go down the drain at the end of the day.
Also........
For those of you that are considering the value of security conference, I can tell you from my first hand experience that it is worth every single pennies.
I was at one point of time like many of the readers thinking that I could learn a lot on my own and become an expert on a specific area. But after I went to couple of the security conference and sit in the class taught by some world foremost info security persons, I notice that it's an immediate boost of knowledge for me. Things that would take me a year to learn and try, I learned and experienced it within the few days of the conference.
For those who are going to SANS conference, don't skip the certification part. It really makes you learn a lot. (Highly biased) You would be required to write a paper on a specific area, it's not easy and it would mean practical experience for you (cause you have to do it first hand in order to write the paper).
I work with SANS so I know more about SANS than other organizations.
SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.
Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.
In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)
No, there are many Chinese input methods that utilize the normal qwerty keyboard. Some methods uses the sound of the character which are usually slower. And some uses the composition of the character structure to work (these are usually faster).
It's ignorant to think there's a need to have thousands of keys....
BTW, there's an input method created by Ericsson (I think, correct me if I am wrong). It uses only 9 keys on the phone keypad for input. I have used it and find that it's a little slow but it works and able to type in all characters that I wanted. Works kinda good for such a small device.
And for those of you that are wondering, YES, it takes a few key stroke to make up one character. But it is not slow to represent some meaning on the keyboard. Chinese is regarded as one of the most concise language on the planet. A few keystoke would be compensated by much shorter sentence.
Yes, it has been there for 5 years. But it is until recently that people are starting to compare this smart card with the compulsory ID card that everyone will have to carry. (Yes, even my 75 year old grandmom carry an ID card all the time). And security industry are comparing these two cards for the value in authientication. (Especially physical access control and two factor auth and also PKI).
The card is not new, but the intention to use it for security is definatly news.
I am Canadian. The last time I checked, we still cannot pass through any gate with our bank card 5 inches away and the machine go beeps and we pass through the gate. Nor did our bank card not require us to key in a pin to let the charge transaction goes through.
Read the article before you post.
We are facing some big challenges right now. Due to the crazy growth of computing power (despite the fact that new methods of calculation - factoring large number and stuff are constant being developed) Encryption standard are being obsolete faster than we can adapt to it.
Think about how long the US government will take to adopt AES.... Same encryption are going to get weaker and weaker as times goes by, we have to adapt to the rate it fades out. But apparently, encryption standards takes time to develop and get accepted. We are very likely going to change standards every 5-10 years. Government agencies, are you coming along?
What positive things did ICANN did so far?
Let me mention the issue where NSI and some other players not release the expired domains back to the pool. What did ICANN do about it?
Check out these links
NSI abuse
Verisign's status
You need CCNA to become CCNP.
You need CCDA to become CCDP.
CCIE does not require prerequisite, so you can go straight to it without any other certs, but doing it step by step is easier.
This article missed all the certs in the security field.
CISSP
CISA
SANS GIAC
In general, CISSP and CISA are more heavy on theory and SANS GIAC are more on practical knowledge (hands-on). Notice that GIAC actually offers many different certs in different area.
They are all hard to get. For example, CISSP requires a 6 hours exams (which isn't easy at all). GIAC requires a practical assignment (to show hands-on knownledge - require real world experience) as well as one or two 2 hours exam.
It seems to me that FreeBSD is more well planned than Linux in terms of project management(This is not Linux bashing). When a development project gets bigger, it takes a lot more planning as a group effort than one man's decision, there maybe something for Linux development team to learn. I agree that it is hard to find the balance because most of us like Linux for some advanced new feature but there's got to be better planning and announcement system to let user know what to expect.
I would really appreciate if Linux kernel set stable checkpoint to indicate "This is a stable kernel" instead of 2.4 series trial and error approach.
In a recent bugtraq post, someone mentioned IE also does similar things. If you type a wrong URL and cannot be resolved by the DNS. Your typed address will be sent to MSN for suggesting new URL. If MS logs all these requests, Similar results....
I can't wait till they make it into a hunting jacket with a shell made of material like MT050.
Sometimes when doing late season still hunt for whitetails or moose, tempature can drop to -15 Celcius and with windchill maybe -25C and due to the fact that I am sitting still for 3-4 hours+, my body just do not generate enough heat to warm myself even with the MT050 extreme jackets from Cabelas. It is those occasion where this jacket would come into play. I would buy it even if it is more expensive (which is very likely if they convert it into hunting version)