Archive for the ‘Book/Doc review’ Category

Strategy and book review

Monday, December 31st, 2007

A “Strategy” thread was started on the DailyDave mail list by Dave himself, criticizing information warfare papers:
“If you’re reading an information warfare book or paper you’ll invariably see a lot of:
1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd)
2. Declarations that information warfare is an “asymmetric attack”

Dave goes on to drop a couple product names and then describe the money saving mono-culture Microsoft technology implementations within the US .com and .mil communities, and describes it as poor strategy:
“Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric.”

Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I’m not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a cloudy window into actual events.)
Any way you slice it, in light of the sheer volume of security breaches, Dave’s statement about the mono-culture of .com and .mil communities is a troubling one — in spite of a year of record profits for the .com community and record budgets for the .mil community, it seems that technology implementations still are not getting the budget or focus that they require when it comes to effectively addressing security needs.

Another poster on the list responded to Dave’s complaints by posting a book review about “Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice” by William McRaven, a U.S. Navy SEAL commanding officer. I got a chance to check it out this past week and the eight case studies McRaven analyzes really are fascinating (if you’re a bit of a military history buff). The theory and principles at the beginning of the book (summarized on the DailyDave post) can be applied to analysis of the targeted attacks that have become much more commonplace on the net. It’s a stimulating read for security enthusiasts, and applies well to the ongoing security breaches around the world:
“If you can’t draw the parallels to general security practices from those principles then the book is not for you, otherwise you might find yourself ripping through the book and thinking in an entirely different light by the final chapter.”

Cisco Annual Security Report

Thursday, December 20th, 2007

Joining the bandwagon of future tellers, Cisco recently read the collective palm of malcode writers and cybercriminals everywhere and released what they saw in their annual security report.

Seriously though, the report takes perspective on some pretty massive themes and is a worthwhile read for security managers and other interested users. It provides “an overview of the combined security intelligence of the entire Cisco organization”, which is an interesting statement in itself, knowing that the company has over 60,000 full time employees and lots of contracted and outsourced staff.
I like its structure and layout, but you’ll still find a lot of questionable statements in its details, so end users might be pretty well confused by some of the key statements.
Malware activity gets stuffed under the Vulnerability section. Their crystal ball tells us What to Expect in 2008, partly based on what they have not seen in the past (disregarding the golden rule that absence of evidence is not evidence of absence in the security arena):
“More malware may execute in system memory, not on hard drives.”
Huh? I can’t remember the last time a piece of malware, or any code for that matter, executed on the hard drive, instead of in the CPU and memory. And what about caching or paging?

Ok, we can get past that statement. The point seems to be that “more” malcode may run on systems without ever touching users’ hard drives: “Malware attacking rootkits that executed entirely in system memory emerged in 2007. As average RAM size continues to increase in the coming year, these strategies will likely grow in popularity”.
Imho, not exactly. These strategies have been around for a long time in the underground and cybercriminal coding communities, but it hasn’t been a money maker — Aphex’s downloader circa 1999 is an example. The key feature was that it downloaded any content to memory from a remote location (like a web server) and executed the content in memory without the content ever touching the disk. I am sure his was not the first, but he was one of the first from the shadier side of the underground to develop and publicly release a reliable loading technique like this one on his website. The downloader, and its scanner evasion techniques, just weren’t needed at the time. Problems from using the technique had nothing to do with the size of physical memory on the victim system. But there were easier methods of detection evasion.
Kinda confusing.

Anyways, enough of my nitpicking, it is an interesting read with a fine list of key recommendations, predictions, and some exposure to their collected data from 2007. I’ll get through more of the malware section and update this post with notes about what I really like in the report.

Sans Top 20 for 2007

Tuesday, December 4th, 2007

The Sans Institute, a source of information security training, certification and research, released their Top 20 list — security risks for 2007. They release this Top 20 annually, it’s a popular read for security professionals and enthusiasts.

Not surprisingly, they noticed that operating system targets are not attacked by massively propagating worms anymore. They note that “Operating systems have fewer vulnerabilities that can lead to massive Internet worms…There have not been any new large-scale worms targeting Windows services since 2005.”
I think that the vulnerabilities are still present in XP. They just are not researched or attacked as much anymore.
One might also notice that the decrease in the presence of network worms coincided with a major sea of change in the OS marketplace: the introduction and rampup of Windows systems running a host-based firewall. In late 2004, XP SP2 users were treated to a host based firewall that finally was delivered and enabled by default. Users also started looking for better host based firewalls once they understood what host based fw really were. Accordingly, the Sassers and Zotobs of the internet had no easy in. By the end of 2005, it just wasn’t all that fruitful to try to remotely attack Windows services that were now closed off from the internet cloud. The activity did not stop, however, it just took a turn.

Reading through the list or press release, you might also notice a corresponding rise in methods attackers use to evade the Windows host based firewalls: “We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.”
This arena of research has received the most attention, because these attacks are now the easiest to deliver.

Overall, it’s an interesting read. Enjoy!