Thursday, February 19, 2015

The Security Triad: Protection, Detection, and Response

It's been a while since I've posted anything at all. I could cite a variety of excuses but the truth is that I've been cutting my teeth in the industry and adapting from my previous life to my new one. I've finally found the time and desire to continue writing, so without further ado...

A lot of folks and InfoSec would say that Confidentiality, Integrity, and Availability are the three concepts that make up the Security Triad. Well, I agree to some point.. but we're not just talking about InfoSec or the security of knowledge (which is where InfoSec was born), we're talking about security in general. 

To that point, security of any variety, from financial and physical security to information security, has three components: Protection, Detection, and Response.  Each industry places more emphasis on a given phase than others and we often see radical changes in the deployment methods and regulation following large and critical incidents. 


http://www.e-cq.net/images/protect-detect-respond.jpg
(not sure who these guys are but the image looked nice)

Protection

Protection is the concept of preventing loss. When examining a familiar example such as a bank robbery, the protection mechanisms may include obstructive barriers, visible guards, and laws that act as deterrents.

In infosec, Protection is the phase where things such as firewalls, intrusion prevention systems, and user awareness come in to play. The idea is that protection mechanism breaks the chain of attack before the destruction of equipment or exfiltration of data occurs. A majority of organizations deploy these technologies at the border of their network.

Detection

Detection is the capability to identify loss or the potential for loss; ideally this happens very quickly. Once a possible loss event Is detected, an alert of some sort is sent to personnel capable of responding.  

Keeping with the bank example, the detection mechanism may be visual identification of bank robbers,  an alarm system that is active after-hours, or maybe an alarm on the vault door that signals any time it is opened. In any of these cases, two events take place: The triggering event and the notification event.

Alarm companies have done a great job automating many notification events after trigger events such as a door alarm or glass-break alarm.  However, visual identification requires a manual notification action by a human, normally a phone call or a panic alarm. These are the areas where it is important to reduce friction, such as allowing citizens to send text messages so that they don't put themselves In danger by creating verbal noise.

InfoSec also relies heavily on a both automated and manual detection. Sometimes malware triggers AV but the fact that a malicious actor is logged in via a screen sharing session goes undetected. Because of this, robust detection mechanisms need to be built to reduce the need for human identification or at least end user identification.

These robust detection mechanisms should identify anomalies or signatures within a network environment based on experience an input provided by InfoSec staff.  This normally comes in the form of intrusion detection systems, antivirus, application white listing and variety of other technologies and trainings. As on can imagine, quite a bit of synergy exists between Protection and Detection, as many commodity threats are prevented because they are detected by one of these automated mechanisms.

Response

Response is the last and arguably the most critical component of the security triad. Response is about the actions taken after an incident is detected but and after prevention failed. If the bank robbers are inside the bank and stealing money, the prevention strategies obviously failed.  Hopefully one of the victims had the ability to notifiy law enforcement after the event was detected, and now the proper response is to send the SWAT team and negotiators… folks that are specially trained for responding to a variety of challenging events. 

The processes aren't much different in InfoSec. The difference is that InfoSec is a relatively new field and there aren't any clear procedures on detection or response like there are with bank robberies. Many cyber-attacks defeat both the automated prevention and detection technologies and rely on 3rd party human detection. As a result of the lacking procedures, the response is all too often trivialized and handled by folks that are not properly trained or experienced. Incident response in any field is not something that can be done as a hobby or part time. It's a full time job with very strenuous training requirements.

The reason that response is the most critical component is simple; banks are going to get robbed and networks are going to get hacked. Trivializing the response leads to risk: business, reputational, and financial. 

Monday, October 17, 2011

Men of Honor


So lately I’ve been hearing a lot about this concept of “selling” things to Law Enforcement. I’ve been asked for advice several times on the best way to sell a product or a service and it has caused me to put some serious thought into the subject. Now I must say that I’m not a sales guy of any sort but I have a pretty dang good idea of what a police officer is looking for when you sit down across the table.



I’ve spent a lot of time reflecting on the lessons my father, grandfather, and mentors taught me as I was growing up. I was raised around command staff, private sector C-staff, and the like and if I’ve learned anything from that environment it’s that they’re ‘human’ too. They make decisions they’re not sure about, things happen that are outside of their control, they vent to the few friends their position has allowed them to keep, and sometimes they’re just plain wrong.  They’re just like us.

What sets C-staff apart from us low guys on the totem pole is that they spend all of their time making decisions that impact a large number of people. That is especially true in public safety; their decisions impact the officers, the organization, the municipality, and the citizens at large. So when they get things wrong it’s not just their job that they are worrying about, it’s the men and women that serve the common cause, it’s our citizens, and bad decisions can be deadly.

Now in every industry, brass is brass, white shirts are white shirts (or hats, as it may be), and everybody knows when the boss is in the office. But there’s one thing that sets public safety miles apart from C-Staff in the public sector; before they got to be Chief they spent a lot of years where the metal meets the flesh. They made decisions on a regular basis that may have determined a person’s life or death, and it’s a safe bet there’s a time or two when they were that person. 

These men and women know what is important and what is trivial. It’s probably a little bit different from the way a majority of the private sector views it. A bad sales day, a demotion, or a disciplinary action, are bad days for a lot of people. They’re bad days from cops too but none of that matters when you get home to your wife and kids… because you actually got to go home.

Everyday there’s people that don’t go home and it’s our police officers, firefighters, paramedics, and 911 operators that handle those morbid situations. We do it so our citizens and the private sector don’t have to and, if not we then who? That acceptance of responsibility, the fact that many people will never have those experiences is where the communication barrier exists.


Now when was the last time you  had a car explode in your face, rain hot acid down on your head, then say just say heck with it  and  keep going?



I know that was all a little dramatic but it’s a reality. The mindset that being exposed to those scenarios causes is what you’re facing when you sit across the table from a policeman. It doesn’t matter where the table is, the interrogation room, the conference room, (and for many) the kitchen, or the living room. You’re dealing with someone who has lived through and seen worse situations than the writers at CSI can air on TV and doesn’t have time for the horsehocky.

So, how do you sell to law enforcement if you don’t have those experiences and can’t communicate on that level?

Let me again say that I’m not a sales person, this is just they way I’ve seen it. I could be wrong and you should certainly validate my research, but I’ve seen a lot of people fail and it was all for the same reasons.

Most companies have a “government sales” division with former operators that do a fantastic job and should be selling to law enforcement all the time. But, as I’ve experience recently, they don’t always get engaged early enough if at all. If you have a government sales division, stop reading here and turn it over to those guys.  

For everyone else, the easiest way to win a cop over is to just tell the truth and learn the phrase “I don’t know but I’ll find out”. I’m not harping on the sales guys (Well… there was this one used car salesman but that’s a different story!) but over selling a product or service and selling something you’re not intimately familiar with is a frequent occurrence.

Let me tell you, if you sit down across the table from a policeman, you are going to be interrogated… especially if you are trying to take the money his citizens gave him.  So have your ducks in a row, know your product, and be prepared to find the same answers the police officers already have. 

Before you even start the conversation you should realize that everything you say is going to be use against you, right now and in future discussions. And depending on if your talking to the “good cop” or the “bad cop” (if they’re both there… well… that’s just bad) they’re going to call you on the BS too.



One of my father’s favorite quotes about salesmen is this, “I think of salesmen like I think of my confidential drug informants. If I take what they say and divide it by ten then I’m still over estimating how much they’re giving me.” It’s true, and it’s not acceptable for a police officer. They are going to take action on the information you provide and, depending on the product and what you’ve said, it could really save someone’s life or get someone killed.

Going back half a step, seeking truth is an integral part of administering justice and police officers do it every day. They are very good at it. They will put you in a position where you don’t have an answer, just to see if you’ll fabricate something. They will know when your product isn’t what they need and ask who has something that’s better. And you better not BS them, they probably have that answer too. (Anybody that watches Law & Order should know cops don’t ask questions they don’t have answers to!)

The best bet is to send a sales team comprised of good sales guys (not FNGs, Fantastic New Guys), have a techie for the hard questions, and a “ gun-toter” (a police officer, prior service, infantry is good, etc.) for a point man. The idea is that you want the front man to be someone that the police officer is going to look up to.  You also have to be prepared to give completely honest answers and, although it may be gut wrenching, it may be necessary to recommend products that are not your own.

I’ll say that most of the time you’re going to walk into a meeting with a group of police officers and they’re going to expect and accept a sales pitch. Well, that I suppose that can be good for business but if you don’t have something that’s entirely unique and that sales pitch carries the wrong tune it’s going to be pretty tough to get the sale. Especially if your competitor has a government sales department!

Ultimately you’re trying to build a relationship with the client and the way you go about that is [apparently] entirely different with law enforcement. They’re goals are not the same as yours and it is you, the sales team, who must adapt and overcome. You must have integrity and be honest. Be the type of person a police officer can trust. If you are trustworthy they will work with you. Most of the people they interact with are liars, cheats, and thieves. And so are the criminals.

Monday, August 29, 2011

An Apple, Today, Gave Your Data Away

I'm not really huge on writing about events in the news but this one seems pretty huge and I think there are some people that might not see the implications.



Basically Apple's new OSX 10.7 (Lion) allows Macs users connected to a domain to log in as any other user on that domain. If you're and administrator and you have someone on your domain using 10.7, then that means they have access to the administrator account, the nice HR lady's account, and Joe the CEO's account (or Kieth the Chief as it may be).

I'm not saying OSX 10.7 machines connected to a domain are prolific or anything or that would be attackers would need OSX Lion to subvert LDAP authentication. It's kind of like a lock on a glass door, it's not actually a security mechanism it's just there to keep honest people honest.

Think about it, if you have an ambitious employee with open access to every piece of data on the domain what kind of trouble could they get into? They probably don't want to actively damage the company in any way, but they might accidentally release company secrets before the press release to stroke their ego. Potentially worse is if they find something that upsets them. When things like payroll or personnel records make it to the general work-force morale and trust can take a huge hit.

Now imagine all of that with a disgruntled employee or an attacker with something more to prove. How much easier would the three Arizona Department of Public Safety attacks have been for the attackers if all  they had to do was snag one administrator password? How much more detrimental would it have been? I imagine lulzsec/antisec probably wouldn't have bothered with any other attack since they would have been able to connect to the domain and freely exfiltrate anything they wish. More over strong passwords wouldn't have been a limiting factor. Surely they didn't get access to EVERY domain account, what information was left for them to pilfer?

Long story short, attack vectors like these are being discovered all the time. We have moved out of the Information Age and are moving into the Security Age and it's time to take these threats seriously. I'm sure AZDPS believed they couldn't be the target of a cyber attack and so did Bay Area Rapid Transit Authority. But the reality is as soon as an LE agency or private company makes the front page, they're a target.





Friday, August 26, 2011

Cyber Command Should Have a Football Team


People keep asking me, “Lee what tools do you use?” or  “have you ever configured an xyz network device?” When I answer them, either they are surprised because I tell them it doesn’t matter which tools persons uses, or they look at me like I ride the short bus because I tell them I don’t care what kind of firewall they use because they’re all pretty much the same to me.

We’ll, to get off on a vendor rant for a second... Firewalls are either stateful inspection or they are not. They have well written rules or they do not. And if someone manages to set one up without logging enabled it is of no use to an Incident Responder. All of the above has nothing to do with a specific vendor (Although they will fiercely argue that point!) but the way the engineer sets it up. So it doesn’t matter to me which firewall a company uses because it’s up to the person that deploys it to do a good job.  

Firewalls, platforms, and entire industries aside... the point I have the hardest time getting across is that information security is not a technical field. People generally think of hacking the Gibson or some arrogant kid with a 2 foot red Mohawk writing a virus. Sure there are technical aspects of it and it’s best if you have some of those skills but security has a lot more in common with playing football than it does with any one tool.




Security is a mindset. It is not the measure of a tool, the number of machines in a botnet, or the complexity of a new exploit. Security’s methodical mindset can be applied to any situation regardless of environment. It is about having an explicitly defined understanding of a goal, a clearly defined target, knowing which resources you need, and knowing how to take the correct actions.

This mentality can be described perfectly when compared to football. A linebacker’s primary goal is to prevent positive yardage for the opposing team. The secondary goal is to create negative yardage for the opposing team. To prevent positive yardage, it is important to learn the behaviors of the quarterback, running backs, and other players that are directly involved in creating positive yardage.

A successful linebacker eventually learns how the combination of body language, formations, and players on the field translates into actions performed. Achieving the second goal is generally more difficult as it may require actual research or information from a third party. The linebacker needs to search for holes in the opposing team’s defense and then test them to see if he can gain access.

To take those actions and effectively generate negative yardage, the linebacker needs good information combined with opportunity. Opportunities come and go but much the information should be gathered beforehand. The linebacker should have researched which of the opposing linemen is left-handed and which is right. He should have also Answered questions such as, ”which players are injured and where, which players stayed up too late having a good time; which, if any, are at odds with the quarterback; and finally determine the skill level of each player.” Like anywhere else, the more information that is gathered the more effectively goals can be achieved.

On the surface, the goals in an information technology environment may seem different; instead of sacking the quarterback the goal may be to deface a web site or exfiltrate data. If you step back and reduce the situation back to it’s methodology the goals are identical. The first objective in defacing a web server is to identify it’s exact location which is comparable to the linebacker figuring out who has the football. Next the attacker needs to find a method of gaining access to the server.

This would be the linebacker finding a route to the player possessing the football. Once the location is identified the attacker will typically achieve access either through the use of valid credentials or with exploits. In parallel, when the linebacker is trying to bypass all of the opposing players and gain access to the ball; he has the same options. Although highly unlikely, the linebacker can do this by wearing the other team’s uniform (using valid credentials) or he can find a hole in the in the opposing team’s defense (an exploit).

Once the attacker has access and the linebacker has found his route, it is possible to leave a “back door” or attempt to escalate privileges. This part of the attack doesn’t translate as well to the football analogy, but the linebacker essentially has the privileges he needs to make a tackle and football’s version of a back door might be identifying a weakness in the opposing team of which they are not aware then trying to prevent them from finding it. To complete the analogy, the attacker’s privilege escalation is what allows him or her to make the tackle and deface the website.

Security is a mindset. When you apply that mindset to information technology it’s important to know the underlying protocols and the basic methodology behind infrastructure deployments. It is this understanding that allows an information security specialist to know which data to look for and only then are they properly prepared to select the tools required to obtain the relevant data.

Thursday, August 25, 2011

What?! Another New Security Blog


So why start a blog and why call it “Cyber Front Security” and what do I offer that no one else does? Well… The short answer is I want to contribute to the community. My intent is to write this blog with a law enforcement audience in mind. Seeing as how I'm new in the field, I'm plan on posting a lot about getting into industry, what it takes to move up, and the type of challenges are to be expected. 

But the real answer is that I’ve spent my entire life learning and training to be in the military only to have life happen and tell me "it wasn't so". So in 24 hours I went from knowing what I was doing for the next several years to feeling like this guy after he lands:


                              It’s really freaking cool until you face plant the big wooden target! 

I had just resigned from working the radio at the local PD in anticipation of leaving for the military and I was left thinking, “well crap…. what am I going to do now?”.  So I called up my friends in the industry, went to a TON of conferences, and rebuilt my home lab. I knew my knees weren't gonna get any better and I knew which skill sets I was going to need.  So I improvised; I started full time back in college and started attending those conferences so I could learn, meet people, and show something positive in the gaps on my resume. I adapted, I further developed the skill sets I would need to be successful in a corporate world. I overcame; I've found my niche.

I under stand policing, I speak the lingo, and I know the people. Walking into a police department and telling them their network is insecure is easy (dealing with a bunch of officers that are now cranky... not so much!). Getting them to trust you to fix it is another thing entirely. People that carry guns for a living don't trust other people that don't. It's because they see what people are capable of every day and they're always the ones coming to save the day. It's difficult for them to sit on the other side unless it's for someone they already know they can trust. 

Way back when I was young... (I can already see the baby face jokes coming!) I decided I really liked computers. I was playing Reader Rabit and the Oregon Trail on my trusty (or was it dusty?) old x386. I built (and set flame to!) to my first computer before I was 10, I played at cracking passwords, live CDs such the original auditor, the forerunner to the now popular backtrack.
For the past couple of years I’ve been working in the communications division of my local police department. I earned my GCFA a couple of months after I was hired and started helping the Intelligence unit with forensic analysis. But there wasn’t a huge caseload and of course I was a young, n00b FNG. It was really just a matter of time before I made a career out it.

Well here I find myself, fresh in the field as a Security Analyst at InterDev (www.interdev.com) and the sky is the limit! I’m working on all kinds of new and exciting projects with a law enforcement emphasis. We’re starting to develop some partnerships that I hope will help the law enforcement community get the help they need in fighting on the front lines of cyber security. 

This blog is just one of the incarnations of my newly acquired career plan. I'm working in security now and I'm focused on working closely with law enforcement to defend against and take action on cyber crime. I don't think it will be long before law enforcement will be entrenched on the front lines of cyber security.

I'd like to throw a special shout out to Chris Pogue, Grayson Lenik, and, Rob Lee for all the help and guidance, the opportunities, and their contributions to the community. There's no way I would have been able to get started so well without their help.

And of course I can’t leave out Harlan Carvey’s RegRipper and Kristinn Gudjonsso’s  log2timeline for making analysts everywhere look like geniuses!