Here are some interesting nuggets that I find compelling:

Trend Micro is buying Third Brigade – One of my favorite Canadian companies is getting hitched. Third Brigade has always been measured and understated in their approach to Virtualiation Security and their entry into Cloud and their solutions tend to deliver good value.  Their “acquisition” of OSSEC was also smart given the nature of guest-oriented controls for Cloud environments.  This is a good move for Trend as it gets them a solution suite they didn’t have previously.

Panda gets cute and cuddly with AV in the Cloud -Take a thin-client, add “Cloud” based scanning and you get a revised model for AV.  I like this idea for a couple of reasons, the most interesting of which relates to the notion of what the aggregated telemetry from all the client interactions will mean to more real-time threat mitigation.  I wrote about this sort of thing a while ago with one of my favorites being a post titled “Thinning the Herd and Chlorinating the Malware Gene Pool”  I’ll be very interested to see how functionally the service compares with traditional AV in terms of efficacy and what sort of performance one might expect.

…and so does McAfee – This appears to be simply a SaaS offering that replaces typical on-premise gateway solutions unlike Panda’s which includes a thin-client endpoint client.  Expect everyone and their mother (and their VC’s mother) to provide this in the short term.

IBM re-enters the networking market via Brocade deal – IBM is extending its existing OEM arrangement with Brocade to include the Ethernet switching and routing products from the Foundry acquisition.   Huh.  I thought they’d already done that with Juniper?  Oh, they’re going to do that, too.  Response to Cisco ya think?  IBM is good at hedging bets.

Forrester Backs Private Clouds – Will Others Follow Suit? – This is both gratifying and personally annoying. Firstly, Forrester is NOT the only analyst company backing Private Clouds.  Gartner is and has (although their definition seems to have morphed) well before Forrester and some of us have been proponents of Private Clouds before they became pop culture. Ugh.

Google Fires Back at VMware about Virtualization for Cloud Computing – Well, of course they do.  Google doesn’t utilize virtualization — they deploy millions of servers instead. It’s a “diabolically-opposed” approach.  Welcome to religious debates 101, please take a seat…or stand.

DMTF announces the Open Cloud Standards Incubator – I don’t know what to think about this.  It sounds like a good idea and has some solid backers.  I noticed that the charter is focused on IaaS/PaaS but not SaaS.  Telling.

Randy Bias says the Open Cloud Is Coming – I reviewed Randy’s original draft and he’s done a good job refining his points although I don’t agree with all of them.  His last statement is a good summary “Ignore the naysayers.  Customers want choice and they will have it.  Choice is driven by open standards, cheap resources, and easy ’self-service’ access.”  Yep, customers want choice, but choice isn’t driven by “open standards.” It’s driven by “open-enough standards” that customers feel meet their needs.

More later.

/Hoff

My Kindle2 showed up yesterday. I un-boxed it, turned it on and within 3 minutes had downloaded my first book and was reading away (Thomas Barnett's "Great Powers," if you must know.)

I've waffled on how, or even if, I would write my critique of the Berkeley RAD Lab's paper titled "Above the Clouds: A Berkeley View of Cloud Computing." 

I think I've had a hard time deciding where the authors have their heads, hence the title.

Those of you who know me are probably chuckling at the fact that I was a good boy and left off the potential third cranial location option…

Too many blogs and not enough time for full-blown analysis right now.  Will likely write about most of these if I can.  Here are some links to things I find very interesting:

• James Governor’s Monkchips » 15 Ways I Am Wrong About Enterprise Cloud Computing
  
• Greg Ness' Archimedus » The Beginning Of the End Of Static Infrastructure
• Jon Brodkin, Network World (US) » Private cloud networks predicted for corporate IT
• Dave Rosenberg, CNET » Gartner: Internal clouds are coming
• LynxSecure Embedded Hypervisor and Separation Kernel (EAL-7!)
• Storagezilla >> EMC's Atmos – Cloud Storage and ILM strategy
  
• David Marshall, Virtual Strategy >> [BlueLane/VMware]: The Rumor Is True, But Why the Secrecy?
• Eric Siebert, Virtual Strategy >> Top 10 things you must read about processors (CPUs) and virtualization
• Eric Siebert, Virtual Strategy >> Top 10 things you MUST read about virtualization and compliance
• Joel Hruska, Ars Technica: [Intel] Nehalem [Processor] by the numbers
• Virtualization.com Video: Interview Simon Crosby, CTO of XenSource – Citrix (VMworld 2008) part 1/2
• Virtualization.com Video: Interview Simon Crosby, CTO of XenSource – Citrix (VMworld 2008) part 2/2
• James Urquhart, Wisdom Of the Clouds >> A Quick Guide To The "Big Four" Cloud Offerings
• James Urquhart, Wisdom Of the Clouds >> In Cloud Computing, a Good Network Gives You Control…

Enjoy!

/Hoff

"…everyone who wants to make a difference should just go ahead and get
their own foreign policy and stop waiting on change from above."– Thomas Barnett

Inspired by my friend Gunnar Peterson, I’ve committed to begin funding Kiva Micro-loans in the next 30 days with a goal to fund up to $1,000 by year end.

What does Kiva do and what is a micro-loan?

Kiva is focused on serving the working poor

Kiva’s mission is to connect people through lending for the sake of alleviating poverty.

Kiva is the world’s first person-to-person micro-lending website,
empowering individuals to lend directly to unique entrepreneurs in the
developing world. The people you see on Kiva’s site are real
individuals in need of funding – not marketing material.

When you browse entrepreneurs’ profiles on the site, choose
someone to lend to, and then make a loan, you are helping a real person
make great strides towards economic independence and improve life for
themselves, their family, and their community. Throughout the course of
the loan (usually 6-12 months), you can receive email journal updates
and track repayments. Then, when you get your loan money back, you can
relend to someone else in need.

Here’s a snippet from Gunnar’s posting which describes his experience with Kiva:

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

If you are interested in helping me — and thus others — with contributing to the micro-loan movement, either sign-up to donate directly yourself, or feel free to donate via gift certificate to my pool and we can make an even bigger difference!

If you want to send a Kiva certificate, you can do so through the PayPal-enabled link above and use my email addy as the target recipient: choff [@] packetfilter.com

At my birthday BBQ bash this weekend, in lieu of gifts I’ve asked for folks to donate to my pool for this year to fund multiple loans.

My family of three young girls and my lovely wife are all very excited about being able to participate in this process both domestically and internationally. 

In fact, all three of my kids are invested in giving up material goods and gifts in exchange for donations to Kiva.  How cool is that? 

Thanks to Gunnar again for the motivation and Thomas Barnett for his inspiring words.

/Hoff

Update: Within 3 minutes of posting this, my bud Zach already donated!  Fantastic!

This is an excellent report culled from over four years and 500 forensic investigations performed by the Verizon Business RISK team.

There are some very interesting statistics presented in this report that may be very eye-opening to many (italicized comments added by me):

Who is behind data breaches?
73% resulted from external sources  <– So much for "insider risk trumps all"
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

How do breaches occur?
62% were attributed to a significant error  <– Change control is as important as
59% resulted from hacking and intrusions   <– compensating controls
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats

What commonalities exist?
66%  involved data the victim did not know was on the system <– Know thy data/where it is!
75%  of breaches were not discovered by the victim  <– Manage and monitor!
83%  of attacks were not highly difficult
85%  of breaches were the result of opportunistic attacks
87%  were considered avoidable through reasonable controls <– So why aren’t they used?

Very, very interesting…

You can get the report free of charge here.

/Hoff

*Update: I’ve read quite a few bristling reviews of this document.  Some claim it doesn’t go far enough to describe how VzB collected and sampled the data and from whom.  Others suggest it’s FUD and obviously just meant to generate business for VzB.

It’s true we don’t know who the customers were.  We don’t necessarily know which segments of industry they came from or how big/small they were.  It’s not authored by a disinterested party.  Got it.

I guarantee that some of people who are amongst those being critical of the report will bitch about it and then use this data just like they have the FBI/CERT data over the years…

Take the report on face value and map it against others to see how it lines up.

This is not the definitive work on breaches, for sure, but it’s an interesting and useful data point to consider when exploring trending as well as for use in strategic planning in assessing your security program and preparing for an inevitable breach. 

I had an idea today; a platform upon which to launch a little security parody mixed with an even dose of introspective navel gazing and the odd spoonful of guffaw. The goal is to provide a healthy whilst humorous appraisal of the state of the security industry.

Think InfoSec Sellout meets Monty Python and The Apprentice.

Did you ever see the movie The Star Chamber?

In one of his earlier features,Michael Douglas plays a young judge who
becomes disillusioned with the law system he used to so admire when he finds
himself continually having to aquit particularly dispicable criminals on the
grounds of ridiculous technicalities.

Sensing his frustration,a close friend
(Hal Holbrook) informs him of a secret judicial society that meets and
dishes out the appropriate punishment to those who have escaped the clutches
of the law. 

Inspired by some conversations this last week at ShmooCon with friends new and old, I am creating the Rational Survivability version of the "Security Star Chamber."

I’m going to play the disillusioned (young) judge.  I’ve recruited my not-so-secret judicial society who will, on a weekly basis, cast judgment against a specific market of the security industry; we’ll pick on a segment in a no-holds barred look at the belly of beast, not to dispense punishment, but to rather provide perspective.

If we can’t take ourselves seriously, we may as well play the fool instead.

We expect to communicate our judgment in the most pompous, self-important and aggrandizing style as we possibly can.  Fair and balanced?  This ain’t Fox News (if you can’t sift through that irony, you’re sure as hell going to hate the SSC…)

Here’s the catch…each of the jury has to summarize his or her argument in one sentence.

This may lend itself to some awkward dialog, but it ought to be mildly interesting for sure.

You’ll meet the other judges shortly 😉

/Hoff

I think that perhaps I have chosen a poor approach in trying to raise awareness for process control and SCADA (in)security.  You can find recent SCADA posts here, including the "awareness campaign" Mogull and I launched a couple of weeks back that got a ton of eyeballs …

I believe I reacted poorly to the premise that some of those who assert expertise in this area tend to dismiss anyone who has a background only in what they define as "IT Security" as being unable to approach understanding — let alone securing — this technology.

Let me take a step back for a moment.

I’d like to get to the bottom of something regarding the alleged great divide between what is being described as diametrically opposed aptitude and experience required to secure "IT" infrastructure versus process control systems such as SCADA. 

I notice a similar divergence and statements being made between those who specialize in web application security (WebAppSec) versus information or network security (InfoSec/NetSec.)

For example, WebAppSec is a discipline and specialty that some suggest requires a level of experience and expertise that goes beyond that of traditional "information security" or "network security" practitioners.  It is suggested that in order to truly secure web applications, one generally requires programming experience, understanding complex data structures, databases, distributed application architecture, etc., at a very detailed level.

I think these statements are reasonable, but does it preclude an InfoSec/NetSec practitioner from contributing to effectively manage risk in a WebAppSec environment?

A network security practitioner can deploy a web application firewall and generally configure the solution, but the antagonists suggest that in order to provide a level of protection commensurate with the complexity and dynamics of the code which they are attempting to "secure," it cannot be done without an in-depth understanding of the application, it’s workflow and behavior.

Again, in reflection, I’d say that’s not an unreasonable assessment.  However, WebAppSec and NetSec/InfoSec guys in mature organizations generally should know what they don’t know and work together to implement a holistic solution across layers.  It doesn’t always work out that way, but in order to secure the WebApps, we can’t ignore the underpinnings of the network or information security foundations, either. 

It really should be a discussion, then, on how to unify complimentary approaches at various levels with an overall focus on managing risk. However, what I find is a downright civil war on the "IT" vs "SCADA" security front.  I have to ask why?

Here’s an excerpt from a post I found on Dale Peterson’s excellent Digital Bond blog.  It was a review of a SCADA security presentation at a CCC event in Italy regarding an introduction (of sorts) to SCADA security.  The premise isn’t really important, but I think that this does a good job of explaining some of the issues and sentiments that I am referring to:

Now here’s the good news: Asset owners, you don’t need to worry about
hackers. When they talk about “owning critical infrastructure”, they’re
just sharing their wildest dreams. In reality, they have nothing in
their hands. Zero. Nada. Niente. It will take several more years until
the hacker community has learned to master various flavours of PLCs
with their different protocols and vulnerabilities. It will take
further years until they get to things like OPC and furnish advanced
attack methods against it. And by the time they come up with decent
exploits for the various SCADA applications that we use today, most
CxOs will already be retired. We have heard over and over again that
the IT folks aren’t particularly good at securing SCADA environments.
Guess what, they aren’t good at attacking them either. However our
hackers do think nobody will notice because the stuff is all so
complex. That’s what I call “insecurity by obscurity”.

This whole notion of "it’s so complex and so few people know anything about it so we have nothing to fear" seems to be the point of divide.

There’s another really telling post on Dale’s site (authored by him) titled "Firewalls are easy, control systems are hard" wherein the following inaccurate premise is painted which reduces the scope of the entire infosec/netsec profession down to a five-tupule in a basic packet filtering firewall:

One of the common refrains heard again at ISA Expo is that IT
firewalls are too difficult to configure and deploy. Several
presenters, especially those promoting field security appliances,
mentioned this, and it seemed to be generally accepted. While I’m all
for simplicity and credit the vendors for trying to ease deployment,
firewalls are simple compared to the deploying PLC’s, defining points
in the SCADA database, developing displays, control loops, and the
myriad of other detailed configuration required to make a control
system work.

A firewall ruleset is as simple as defining rules by source IP,
destination IP and port. Since communication in control systems is
limited as compared to the corporate network, the ruleset is usually
very small.

How simple is that compared to monitoring and controlling a complex
process distributed over a plant or large part of the country with 5000
points or 100,000 points? I was introduced to control systems in 2000
and have worked on a large number of SCADA and DCS in a variety of
industry sectors and I still marvel at the effectiveness and attention
to detail in these systems. There is nothing in firewall or any other
IT security system configuration that comes close to the complexity in
configuring and deploying control systems

That maybe true in an SME/SMB network, but the reality is now that firewalls in a large enterprise (which is a much more reasonable comparison) are just a small piece of the puzzle.  Endpoints numbering in the thousands (if not tens of thousands) which run hundreds of application combinations aren’t exactly chopped liver to secure.  Add in Web Application Firewalls, Database Monitoring, Encryption (at rest, in motion,) IDS, IPS, Proxies, A/V, URL Filtering, Anti-spam, NBAD, SIEM, etc. and it just gets more complex from there.

If life were as simple as deploying a firewall and firing off a five-tuple ruleset, we wouldn’t be in this pickle.

Regardless of whether a NetSec/InfoSec practitioner knows in-depth details regarding implementing PLC’s/RTU’s or the inner-workings of the IEC61131-3 block programming language is neither here nor there because it’s only one piece of the puzzle. 

Many InfoSec/NetSec practitioners don’t have expertise in SQl/pSQL, but they work with the DBA’s to secure databases, right?

Once these systems are interconnected to an IP-enabled network, it requires cooperation up and down the stack.  InfoSec/NetSec pro’s need to become SCADA-aware and SCADA pro’s need to stop suggesting that this technology is just so complex and overwhelming that it’s beyond our ability to effectively collaborate and that "firewall jockeys" just can’t understand.

The reality is that the bad guys look for the weakest link in the chain.  Will they attack complex protocol stacks and programming languages first?  No, they’ll go after the low-hanging fruit like poorly-configured/secured end-nodes, bad perimeter controls and general user-driven crap like we see in the rest of the world.  They won’t need to even spell PLC.

We need the same level of information sharing and respective skill set cross-pollinization in this regard instead of squaring off like it’s a battle between us versus them. 

/Hoff

I’m sorry, did someone say we have nothing to worry about when it comes to SCADA and control systems security?  I must have missed the memo:

CIA: Hackers to Blame for Power Outages

By  TED BRIDIS  –  3 hours ago

WASHINGTON (AP) — Hackers literally turned out the lights in
multiple cities after breaking into electrical utilities and demanding
extortion payments before disrupting the power, a senior CIA analyst
told utility engineers at a trade conference.

All the break-ins
occurred outside the United States, said senior CIA analyst Tom
Donahue. The U.S. government believes some of the hackers had inside
knowledge to cause the outages. Donahue did not specify what countries
were affected, when the outages occurred or how long the outages
lasted. He said they happened in "several regions outside the United
States."

"In at least one case, the disruption caused a power
outage affecting multiple cities," Donahue said in a statement. "We do
not know who executed these attacks or why, but all involved intrusions
through the Internet."

A CIA spokesman Friday declined to provide additional details.

"The
information that could be shared in a public setting was shared," said
spokesman George Little. "These comments were simply designed to
highlight to the audience the challenges posed by potential cyber
intrusions."

Donahue spoke earlier this week at the Process
Control Security Summit in New Orleans, a gathering of engineers and
security managers for energy and water utilities.

The Bush
administration is increasingly worried about the little-understood
risks from hackers to the specialized electronic equipment that
operates power, water and chemical plants.

In a test last year,
the Homeland Security Department produced a video showing commands
quietly triggered by simulated hackers having such a violent reaction
that an enormous generator shudders as it flies apart and belches
black-and-white smoke.

The recorded demonstration, called the
"Aurora Generator Test," was conducted in March by government
researchers investigating a dangerous vulnerability in computers at
U.S. utility companies known as supervisory control and data
acquisition systems. The programming flaw was fixed, and equipment
makers urged utilities to take protective measures.

Now, this article says these attacks were outside the U.S. (since it came from the CIA, you can imagine why.)  Also, it does NOT directly say that SCADA systems were attacked.  However, these statements were made at a SCADA "Process Control" Security conference, so I’m going to take the liberty of bridging that assumption.  Either way, it highlights the problem at hand (see the 787 Dreamliner story and the Polish Tram derailment…)

Do y ou really think it’s that much of a reach to suggest it’s not happening on our shores?

If anyone gives me any more crap about being concerned regarding the possibility/potential for disruption…look at the boldfaced section.  The compromise was conducted over the Internet.  Don’t forget, this sort of thing is supposed to be impossible given some comments from my "awareness campaign":

Oh gosh, where do I begin Chris? 

What do the first letters of SCADA stand for?  Supervisory Control. 

A real SCADA system doesn’t issue direct controls. It issues
Supervisory Controls. There should be no time critical control loops in
SCADA. In other words, we have vulnerabilities. But they won’t destroy
anything right away. We engineers know better than to trust complex
software.

Most good design practice is based upon graceful degradation. In
other words, we don’t send a command to open a valve. We send commands
to change the pressure differential setpoint. A local controller takes
care of the rest. There are sanity checks in the local controller.

You could send commands to the field that would screw things up. But
most people would notice and we’d take action. Keep in mind, that while
our operation is very careful and deliberate, the distribution system
was built for some wild extremes including pipe breaks, extreme
weather, communcation outages, and vandalism. A successful attack would
require intimate knowledge of where the real vulnerabilities are.

Are you an expert at water utilities too? 

Posted by:
Jake Brodsky |
December 15, 2007 at 11:47 AM

No, Jake.  I’m not a water utilities expert, just a concerned observer & citizen. 

Hat tip to Stiennon for the source.

/Hoff

Besides the monthly BeanSec! gatherings, New England really needs a security conference to call its own.  Now we have one.

You can find a ton of detail about the show here, but if you’re impatient because you’re pahking the cah in the yahd and can’t get to your browsa, here’s the skinny:

The security convention is called SOURCE: Boston 2008, and it’s held
from March 12-14th, the W-F before St. Patrick’s Day weekend. The place
it’s being held is the Hyatt Regency Cambridge, right on MIT’s campus.

It’s the big step-shaped hotel with the neon framing right on the water. We have negotiated low room rates and are sporting quite a line-up of speakers and keynotes, including keynotes from Dan Geer of MIT Athena/Kerberos fame, Richard Clarke, and Steven Levy.

We will also have a panel with the members of the L0pht – speaking together for the first time in 10 years. We have some great evening activities such as a VIP reception and a Thirsty Thursday Pub Crawl.

The three tracks are application security, business and security, and new security technologies. It’s a professional conference and we’re having several CEOs speak, as well as other chief officers. However, it’s combining that professionalism and business component with the edginess and fun of some of the hacker conferences.

Rich Mogull and I are appearing on stage together as Click and Clack (or is it Wallace & Grommet?)  That ought to be worth the price of admission right there.

See you there.

/Hoff