Rational Survivability

No, this is not some enlightened pithy post heaping praise on a dead Chinese military strategist. Nothing against his Tzu-ness, but I’m just plain tired of this overplayed guidepost for engaging in InfoSec warfare.  For God’s sake, I own an iPod. I’m, like, so enlightened, sophisticated and refined.  Sun Tzu is so last Wednesday!  The closest I come to Chinese philosophy is whether or not to order the Kung Pao chicken or the Pork Lo Mein.  Just to get that out of the way…

If you haven’t seen Thomas P.M. Barnett’s  talk "The Pentagon’s New Map for War and Peace" from the 2005 TED, you should definitely click here and do so.  Barnett is a brilliant and witty international security strategist who offers a unique contrarian perspective on the post-Cold War US military complex that differs quite drastically from the typical long range strategic planners squatting in the Pentagon:

"In this bracingly honest and funny talk, international security strategist Thomas P.M. Barnett outlines a post-Cold War solution for the foundering US military: Break
it in two. He suggests the military re-form into two groups: a
Leviathan force, a small group of young and fierce soldiers capable of
swift and immediate victories; and an internationally supported network
of System Administrators, an older, wiser, more diverse organization
that actually has the diplomacy and power it takes to build and
maintain peace."

What I find amazingly serendipitous about the timing of when I watched Barnett’s presentation is that it rang true with a theme I was mulling on which draws remarkable and absolute parallels to the state and needed resuscitation of how we practically organize the Risk Management and Information Security "combatant" fighting forces in the front lines of corporate America today and the thought processes and doctrines that govern how we operate.

I’m not going to spend much time here presenting this analogy and how it relates to the Risk Management/InfoSec world. 

Watch the video and take a peek at this one excerpt slide below.  Think about how we’re structured to do "battle" in our war against the bad guys.  As Barnett says, what we need is two armies focused on one victory with a division of assets between them; the Leviathan Force and the SysAdmins:

I suggest that we need to recognize that the goals of these two forces are really diametrically opposed which is why Ops Staff bristle at all the bag-winding policy, procedures and change control while the Managers lament how the young’uns can’t grasp the concepts of diplomacy and managing risk instead of just threats and vulnerabilities.

We need to organize what we do and how we approach the deployment of resources (forces) around this same concept in balance.  Yet, most people staff up in order to man a posted headcount as part of some mechanical rhythm that has for so long defined how we "do" InfoSec. 

I’m not sure that many people actually have a security strategy that defines a long term achievable objective toward winning the war to achieve peace, but rather keep throwing bodies into the cannon fire as we serially sacrifice combatants as fodder for the sake of fighting.

Some of us actually do organize and hire based upon placing talent that is strategically as well as tactically the right fit for the job.  My observation is that in reality, this practice is far and away the result of the lifecycle management aging of an ever-greying combatant force and nothing more…and it’s usually very, very unbalanced.

Instead, how about aiming to consciously build that Leviathan force of tactical soldiers who live, eat and sleep for "combat" (firewall jockeys, IDS/IPS analysts, etc.) and then take the older, wiser and diverse corps (architects, engineers, etc.) and have them deal with the aftermath — as a networking force — in order to maintain "peace" and let the soldiers go off hunting for the next foxhole to jump in.

Granted, we don’t talk offense in the traditional sense of how we play the game
in our profession and it’s a losing proposition because we’re holding
ourselves hostage to a higher standard and a set of rules our enemies
have no intention to play by.  We organize inappropriately to repel the
opposing force and wonder why we characterize what we do as a losing
battle. 

Now, I’m not outright suggesting that *everyone* run out and deploy first strike
capabilities, but certainly entertain the thought of countermeasures
that are more than a firewall rule and a blacklisted IP address.  We can’t win on defense alone.  Gulp!  There, I said it.

So I’ll ask you again.  Watch that video and think about Risk Management/InfoSec instead of traditional warfighting.  You’ll laugh, you’ll cry and perhaps you’ll think differently about how you deploy your forces, how you fund your campaigns and ultimately which battles you pick to engage in and how.

"Don’t wage the war if you don’t want to win the peace…"

/Hoff

Yo!  BeanSec! is once again upon us.  Wednesday, August 15th, 2007.

BeanSec! is an informal meetup of information security
professionals, researchers and academics in the Greater Boston area
that meets the third Wednesday of each month. 

I say again, BeanSec! is hosted the third Wednesday of every month.  Add it to your calendar.

Come get your grub on.  Lots of good people show up.  Really.

Unlike other meetings, you will not be expected to pay dues, “join
up”, present a zero-day exploit, or defend your dissertation to attend.
Map to the Enormous Room in Cambridge. 

Enormous Room: 567 Mass Ave, Cambridge 02139.  Look for the Elephant
on the left door next to the Central Kitchen entrance.  Come upstairs.
We sit on the left hand side…

Don’t worry about being "late" because most people just show up when they can.  6:30 is a good time to aim for.  We’ll try and save you a seat.  There is a parking garage across the street and 1 block down or you can try the streets (or take the T)

In case you’re wondering, we’re getting about 30-40 people on average per BeanSec!  Weld, 0Day and I have been at this for just over a year and without actually *doing* anything, it’s turned out swell.

We’ve had some really interesting people of note attend lately (I’m not going to tell you who…you’ll just have to come and find out.)  At around 9:00pm or so, the DJ shows up…as do the rather nice looking people from the Cambridge area, so if that’s your scene, you can geek out first and then get your thang on.

The food selection is basically high-end finger-food appetizers and the drinks are really good; an attentive staff and eclectic clientèle make the joint fun for people watching.  I’ll generally annoy you into participating somehow, even if it’s just fetching napkins. 😉

See you there.

/Hoff

I migrated to a new job recently.  My previous job was "Chief Security Strategist."  Sounds linear, logical and pompous.  If you know me at all, the title doesn’t exactly fit me well.  I’m a fuzzy-logic, paint with a broad brush, and a reasonably palatable fellow.

My new title, which I created, is Chief Architect, Security Innovation.  I like this title because it means I think about things in a manner that implies they are going to be built.   It’s also  somewhat of an odd title, because when most people think of security, the last thing they expect to hear is the word "innovation" bolted onto the end of it.

Normally, one might expect to find words and phrases like "speed bump, insurance, pain, slow, firewall, policies, police, annoying, abrasive, and cost-center" associated with security.  But innovation?

Nobody really believes that security can be innovative, do they?  I do.

I like this word, what it stands for and what it means to security and the people who try and make a difference when implementing it with passion, and it is the focus of this post.  I think the reason security isn’t thought of as being innovative is that the people making the decisions don’t let themselves innovate!

Read on.

I’m driven by a fanatic gravitational attraction to change and enjoy being a catalyst for new thought, different ways of thinking and encouraging people to push harder and smarter in order to produce better output for any given input.  I like to solve problems; usually in the simplest way possible.  Often times, the simplest answers are the hardest to come by.  I don’t think it’s a question of "thinking outside the box."  I think it’s more an issue of allowing oneself to pretend there isn’t a box at all.

Some people mistake what I described above as a focus on being more efficient, but to me, efficiency is a by-product of innovation and innovative methods of problem solving.

People approach problem solving in many different ways.  Some like to noodle on a problem space and reason logically over a period of time, considering all empirical elements and paths leading to what may be multiple solutions and then choosing one as the recommended response.

Others like to drive to a solution as quickly as possible, thin-slicing their way to a terminus using instinct, intuition and adjacency to arrive at an answer a priori.

I’ll ask you to think about how you approach problem solving within the scope of your career. Since most of the folks who read this blog are in some manner security focused, think about your last complex security problem set as you read this.  Did you take your time or were you pushed (or push yourself) to snap-to and deliver a solution?

Guy Kawasaki’s blog turned me on to a really fascinating manifesto by Matthew May titled "Mind of the Innovator: Taming the Traps of Traditional Thinking" and is a really great follow-on to his book titled "The Elegant Solution."

"Mind of the Innovator…" provides a frank and compelling perspective on how people solve problems, and is illustrated by describing the seven deadly sins people commit when challenged.

The thing that really intrigued me about this piece is that anyone can arrive at a solution.  However, simple, elegant and creative solutions to problems usually don’t arrive easily and without complex thought distilled.  Worse yet, humans are generally horrible creatures of habit and revert to mental muscle memory to arrive at an answer and that’s not good creative problem solving, either.

I do hope Guy forgives me, but rather than try and imitate his summary of these sins, I am going to re-post his version here because, as usual, he’s done a fantastic job in doing so.

From Guy’s blog, here is a summary of Matthew May’s 7 deadly sins of problem solving:

1. Shortcutting. Leaping to solutions in an
   instinctive way or intuitive way—i.e. the “blink” method of
   problem-solving—seldom leads to an elegant solution because deeper,
   hidden causes don’t get addressed. Watch CSI and House: first they
   collect the evidence, then diagnose, and then solve. It’s never the guy
   or the disease you initially suspect.

2. Blindspots. Blindspots are the umbrella term
   for assumptions, biases, and mindsets that we cannot see through or
   around. Our brain does a lot of “filling in” for us because it’s a
   pattern maker and recognizer. Ths cn b hrd fr ppl t cmprhnd, hwvr, mst
   cn ndrstntd ths sntnc wth lttl prblm. But clear thinking involves more
   than simply filling in spaces in words.

3. Not Invented Here (N.I.H.). NIH means that you
   refuse to consider solutions that are from external sources. It means
   “If we didn’t come up with it, it won’t work. It is of no use.” Next
   time you’re waiting for an elevator, watch someone walk up and hit the
   button even though it’s already lit. We often don’t trust others’
   solutions!

4. Satisficing. Ever wonder why some solutions
   lack inspiration, imagination, and originality? It’s because by nature
   we satisfice—satisfy plus suffice. We glom on to what’s easy and stop
   looking for the optimal solution. What’s the least number of “sticks”
   you need to move to make this Roman numeral equation correct? XI + I =
   X If you answered anything but zero, you satisficed. Look at it upside
   down.

5. Downgrading. Downgrading is the close cousin of
   satisficing but with a twist: a formal revision of the goal or
   situation. Reason? No one likes to fail. Result? We fall short of the
   killer app, so we pick the one that allows us to declare victory. Next
   time you’re playing hockey or football, try winning the game by hitting
   the outside of the post or taking the ball down to the one-yard line.

6. Complicating. Why do we overthink, complicate,
   and add cost? And why do we ALL do it so intuitively, naturally, and
   (here’s the killer) consistently? Answer: we’re hardwired that way. Our
   brains are designed to drive hoarding, storing, accumulating, and
   collecting-type behavior. We are by nature “do more/add on” types.
   Don’t believe it? Watch the customers at Costco or Sam’s Club buy
   thirty-six rolls of toilet paper.

7. Stifling. We do naturally do the “Yeah, but..”
   dance in which we stifle, dismiss, and second-guess ideas. It’s
   ideacide, pure and simple. And it’s not just others’ ideas we stifle;
   we often do it to our own and kick ourselves later when someone else
   “steals” our great idea. Remember how Decca Records rejected the
   Beatles? “Guitar bands are on the way out.”

So, the next time you’re asked to solve a problem, don’t fall victim to these traps.

As an overly simple example, perhaps next time you’re faced with a security problem to solve, think different; instead of deploying that $50,000 firewall as an autonomic solution to protect a web-based application because that’s what we’re programmed to do, fix the application’s input validation instead and use an ACL in a router? 

Just a thought.  Think.

/Hoff

{Ed: I have been informed, nay swatted, by one Mr. Newby, that I have incorrectly characterized JG’s actions as slander.  According to Rob (and the Oxford Dictionary — who by the way added Rachel Ray’s EVOO as an official f’ing "word" to their tome of wordage!) slander pertains to making a false spoken statement whilst libel is a false published statement.  Fine, supercalifragilisticslanderlibelocius it is then!}

Not since InfoSec Sellout was discovered to be none other than Dave Maynor’s pet goat have I been so shocked at the venom spewing forth from the bowels of the Blogosphere.

Jeremiah Grossman, famed XSS guru and tireless crusader for all things input-validated, has come unglued and lobbed slanderous libelous accusations against my person.

In fact, he suggests that I lobbed myself slanderously libelously against his person! 

I deny such allegations and offer forth righteous testimony that refutes these malicious tirades.   

Judge for yourself the callous and acerbic commentary as evidenced by Senor Frog’s vitriol in summary of his Blackhat/DEFCON experience here:

Side-channel conversations:
There was a good bit of chitchat about BJJ and MMA. A lot of people in
infosec train in various forms of martial arts. Makes sense I guess.
However, I was not prepared for Chris Hoff’s unprovoked attack. In the front of PURE Chris comes out of no where like the Blaire Witch, hugs me and says, “all I want to do is get in your butterfly guard big boy.“

…OBJECTION, your honor, calls for speculation.  Nobody’s actually ever *seen* Jeremiah’s butterfly guard.  I have it on good advice that he’s prone (pun intended) to being mounted and submits to the nearest blog or publisher.

Firstly, the so-called "attack" was hardly "unprovoked."  I have witnesses that will clearly
testify that Grossman, who obviously had a silver ticket entrance to
the Microsoft party, was flaunting his clearance at the entry of the
Pussycat Dolls Theater.  I, on the other hand, was without Mr. Wonka’s shimmering docket of admission. 

I think Mike Rothman
was standing there just as confused as I was. 🙂 Then later there was
talk about some Hacker MMA Smackdown event rumor I hadn’t heard about.
RSnake had and immediately said in his best Tyler Durden voice, “I’d fight Erik Birkholz.” I kid you not. Ask the Mozilla guys, there were there! Gotta be on guard at all times around these infosec guys, sheesh.

Secondly, Mr. Grossman conveniently left out the part wherein one Mr. Mogull confidently dared me to wet-willy the former.  The best I could do was a rushed and flacid (yes, I said flacid) suplex attempt.  PURE is where Chuck "the ICEMAN" Lidell holds his after-parties.  I was inspired by the moment.

Thirdly, Rothman is always confused.  Wait until you check out a picture of Rothman in his party attire…he caps of the ensemble with a pair of black socks and, jesus, Crocs…

Fourthly, I’d give odds on Birkholz.  Two years ago we had the same conversation at the bar @ RSA.  He can tie knots in cherry stems with his tongue.  RSnake, admit it, you’re just outgunned!

It’s all fun and games until someone loses an eEye.  Speaking of which…

What has the world come to?

/Hoff

On the tail of my posts from a week or so ago regarding to Cisco’s Data Center 3.0 announcement, Mr. Chamber’s keynote at VMWorld and the follow-on $150Million investment in VMware, here’s something that really gets my goose honking because the force is strong with this one…

Virtualization.info broke the news last week that VMware will "…allow 3rd party vendors to develop their virtual
switches for ESX Server virtual network, and Cisco is expected to be
the first company announcing such product (Virtual Catalyst?)"

This may sound like a no-brain yawner, but it’s quite profound…not just for Cisco, but for any of the switch vendors who want in on the lucrative virtualization market.

For a quick refresher, let’s review the concept of virtual switches (vSwitches).  From VMware’s definition:

A virtual switch, vSwitch,
works much like a physical Ethernet switch. It detects which virtual
machines are logically connected to each of its virtual ports and uses
that information to forward traffic to the correct virtual machines. A
vSwitch can be connected to physical switches using physical Ethernet
adapters, also referred to as uplink adapters, to join virtual networks
with physical networks. This type of connection is similar to
connecting physical switches together to create a larger network. Even
though a vSwitch works much like a physical switch, it does not have
some of the advanced functionality of a physical switch. For more
information on vSwitches, see Virtual Switches.

Given my previous posts on the matter, this offers two interesting and profound perspectives on the virtualization front:

1. If you recall, I blogged back in February about my participation in a Goldman Sachs Security conference where Jayshree Ullal presented Cisco’s vision of virtualized security.  During the Q&A period after her presentation, I asked her a somewhat loaded question that went something like this:

   
   If now we see the consolidation of multiple OS and applications on a
   single VM host in which the bulk of traffic and data interchange is
   between the VM’s themselves and utilize the virtual switching fabrics (ed: software)
   in the VM Host and never hit the actual physical network
   infrastructure, where, exactly, does this leave the self-defending
   "network" without VM-level security functionality at the "micro
   perimeters" of the VM’s?

   I think that this announcement pretty much answers this question.  Cisco will take the concept that I blogged about previously wherein they will abstract the software from the hardware and provide a virtualized version of a catalyst as the ESX vSwitch.  I wager we will see a subset of security functionality in the vSwitch natively that one might expect in the "physical" Catalyst hardware products as much of the capabilities still hinge on new components such as the ACE.

   Now, if the virtual switch is Cisco’s, you can expect a bevy of interaction between the "virtual switch(es)" and the physical ones that the VM Hosts connect to.  This would provide interfaces between all manner of network controls and monitoring capacities such as firewalls, IDS, IPS, SEIM, and solve the issue above by merely "offloading" this functionality via API’s to the physical boxes plumbed into the network.

   Combine that with NAC agents on the hosts and…whether or not it actually works is neither here nor there.  They told they story and here it is.  It’s good to be king.

2. This brings us to point numero dos…and it’s a doozy.  If you think that the current crop of L2/L3 switching and routing infrastructure is fragile enough, just imagine how much fun it’s going to be trying to detect and defend against infrastructure attacks on virtual switches that open up the guts of the VM hosts and hypervisors to third parties.

   We won’t need a Blue Pill, I’ll take one of these below, instead (it’s a cyanide capsule, btw):

   
   Ettercap and arp-twiddling, anyone?  If you don’t have the capability to virtualize the functional equivalent of IDS taps and/or utilize "IPS" plugins to the hypervisors, compromising a single guestOS on a VM could spell disaster that goes undetected.  We already have issues protecting physically isolated critical infrastructure, can you imagine how much fun this is going to be? 

   I’m not talking about application layer attacks here, I’m talking layer 2/layer 3.  The vicious circle begins anew.  You’ll be worrying about XSS and AJAX attacks on your virtualized web servers whilst the same attacks from 10 years ago will give your shiny new virtual infrastructure a wedgie.

   And since it’s likely we’ll see a repeat of architectural car crashes as we have in the past, most of the inter-VM traffic won’t be mutually authenticated or encrypted, either.  So you’ve got that going for you…

So, I think that this model is what Reflex was aiming for with their vIPS (from Virtual Iron) software for the virtual switch which I blogged about here, but Cisco’s going to one-up them because of their investment in VMware, their switching acumen and the unfair advantage of owning both the virtual/logical switching/routing plane as well as the physical.

Good times are comin’, for sure.  I’m trying not to be cynical.  I think it’s fairly obvious as to what ought to be done to secure this mess before it becomes one, but I’m not sure we’re going to be able to step out in front of this train and stop it before it reaches the station.

/Hoff

Thanks to Mr. Stiennon, it seems that I have been labeled a threat to the People’s Party and access to this, my seditious and politically undermining little pile in cyberspace has been, gasp!, blocked by the eeeeeviill Chinese Firewall of Disinformation.  Well, that sucks.

I have to say that Richard really did me a favor by posting this.

Firstly, it reminded me that despite my many travels, I’ve become quite an American-centric little drone without much of an appreciation for the hardships experienced by those in many other countries as it relates to censorship and net neutrality.  We take a lot of things for granted over here and in many cases Americans seem to wield the hammer of nationalism a little to heavily, even if inadvertently.

I was reminded of this by a high-ranking member of a British Telecoms company recently when, despite all attempts to rectify my ill-timed transgressions, he suggested that my sense of humor needed a much better cultural filter applied to it should I not wish to piss people off with my "Americanism."  Ouch.  I find it odd typing this because I’m somewhat culturally conflicted
because whilst I was born in the U.S. and love it dearly, I moved to
New Zealand and grew up there for most of my early life.

It made me think, so I really do owe you both a renewed apology and a thanks, Ray. 

Secondly, I would really like to be able to use something like Google to compare natively a search using any one of their engines to determine where, what and how searches and click-throughs are allowed or blocked in the countries they serve.  I reckon that as we get closer to GooglePOPs around the world, this ought to be plausible.

At any rate, back to the post at hand.  I quoteth Richard:

On my recent travels in China I had an opportunity to experience first
hand China’s so called “Golden Wall”. In each hotel I would try to get to several sites.  For some reason  this security blog
is censored throughout China. How does that make you feel Mr. Hoff? And
a Google search on “Tibet” will have the usual results but you cannot
click through to any of the links on the first page of results. I did
not search on Falun Gong for
fear of really setting off the alarms and reprisals. Next time I think
I will set up GoToMyPC at home and use it as a poor man’s proxy.

To answer Richard’s question directly, I guess I’m flattered on two fronts; firstly that Richard bothered to try to get to my blog while surfing in China (bored much?) and secondly that some government other than my own considers me a threat to their sovereignty.

I could, of course, rant tirelessly about my opposition to widespread and targeted filtering of information and the impact on privacy, etc., but there are far more qualified people than I to do so.  At a much more basal level, I think it sucks, because now nobody in China will be able to follow along as Richard and I smack each other. ;(

In protest, no more General Tsao’s chicken for me.

{Posted @ 2:30am after I just got back from Blackhat/Defcon with no luggage.  Apologies for any perceived lack of sensitivity for the greater global political issue of censorship here, but I want my toothbrush back from United Airlines and it’s clouding my judgment}

/Hoff

I’m sorry, what?

EOM.

/Hoff