Welcome to Delicate template
Header
Just another WordPress site
Header

Picking on the Little Guy

August 17th, 2011 | Posted by Dominic Schulte in PCI | Security - (1 Comments)

Security is expensive. We all know that. I see the battles my clients continually face – particularly the small and medium-sized businesses (SMBs) – as they try to spread their limited security dollars across dedicated salaries (for the fortunate ones), toolsets, appliances, training, and consulting (maybe we don’t need to include the last one…). The underlying belief that many SMBs seem to receive some relief from: “I’m the small guy. Surely I won’t be targeted when there are banks and multinational retailers to be hacked.” Mr. Angelastri says as much in this Wall Street Journal article.Read more

Dominic Schulte

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

We here at True Digital Security conduct quite a lot of engagements around penetration testing, or “Pen-Tests”. Usually this testing is driven by compliance requirements like the Payment Card Industry (PCI) DSS or security audit requests from potential new clients. Unfortunately, penetration testing is perhaps the most confusing and misunderstood type of security engagement. Don’t quite know what I mean?  Try this little experiment: Google for “Penetration Testing” and try to determine the scope, and more importantly, the goal of a penetration test. Go ahead, I’ll wait ….  Confused yet? The vast array of methods, styles, and differing  goals can be overwhelming. Even security experts themselves don’t agree on what the purpose or goal of a penetration test should be.Read more

Michael Oglesby

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

Twitter - More Posts

Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.

What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.

Brett Edgar

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The Cybersecurity Act of 2009[opencongress.org] was introduced April 1, 2009, by Senator John Rockefeller (D-WV). The act is:

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

One of the more talked about provisions of this bill is the granting of authority to the POTUS to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.” Perhaps that will be another blog post, but the provision currently bothering me is the one in Section 7[opencongress.org] of the bill. That section directs the Secretary of Commerce to establish a “national licensing, certification, and periodic recertification program for cybersecurity professionals” and that, after 3 years, makes it “unlawful for any individual to engage in business…as a provider of cybersecurity services…who is not licensed and certified under the program.” The provision only applies to professionals providing services to Federal agencies, their networks, or a network deemed as “critical infrastructure” by the POTUS.

Why does this bother me? Well, to start off with, licensing and certification sure sound like there will be some exchange of money involved, just as private certifications like CISSP, CCNA, MCSE, etc., require you to fork over some cash to take the test and/or maintain membership. If the Federal Government steps in and does the same thing either

  1. the Feds are getting a de facto tax from cyber security professionals; or
  2. if an already existing certification is chosen, that certification body essentially gets public welfare.

In the latter case, whoever spends the most money lobbying the Congress Critters (probably) wins.

This sounds like some unnecessary meddling to me. Yes, the Feds need some well-trained cyber geeks to shore up their defenses. A lot of the cyber security professionals that are already in the government are incompetent–I’ve taken various educational courses and met them, and also worked around some of them–but the way to fix that problem is to make it possible for the Feds to fire people. Right now, if you get in to the Federal government, you’re employed for life unless you do something extremely stupid and illegal.

But even the NSF Scholarship for Service (AKA CyberCorps) program (which this act evidently re-authorizes) won’t help. First of all, you can’t train enough cyber security professionals fast enough to make a difference. More importantly, the lack of people is not the real issue. The real issue is the politics, red-tape, and managerial incompetence that restricts the competent CSPs that are already in the Federal government from securing their networks.

To defend a network, you have to be able to react quickly. To defend a network that has little or no existing defense in place, you have to be able to rapidly re-configure the network with up-to-date tools and hardware. It takes entirely too long to get approval for purchasing those devices, and entirely too long to get approval to deploy them. Then some manager can’t understand that some things are going to break and take a while to fix, and pretty soon you have a half-deployed three year-old “security is in the blinky thingy” device that can’t keep up with the volume of traffic transiting the new OC-128 the Undersecretary for Porn Surfing demanded be put in place.

I just don’t see this going well. Someone’s going to get very rich, another 1500 jobs are going to be added to the federal government to oversee this program, more tax money is going to be wasted, CSPs are still going to be frustrated in their attempts to repair Federal networks, and the Internet is still going to be a DANGEROUS PLACE with unfriendlies from all points south of our border and across the oceans trying to steal our information.

Brett Edgar

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.

Adobe is set to release an update on October 13. Until then, keep on your toes!

TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.

Brett Edgar

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts