Emerging Threats

1
Management 512 – © 2010 SANS
Everything I know is wrong!
How to lead a security team in a time of
unprecedented change and challenge
This is NOT a New Problem

2
1943: A world market for
maybe five computers
1981: No one will ever need
more than 640k

3
1995: Internet will never take
off
Some Specific Examples
“A man doesn't know what he
knows until he knows what he
doesn't know.” Dr. Laurence Peters

4
.pdfs are the safe attachment
• Don’t send .docs that might transmit a
virus, send a .pdf, it is “just” a print file
• Today, about 1/2 of malware infections
originate from Flash and Reader
http://www.itpro.co.uk/622522/adobe-reader-and-ie-feel-brunt-of-web-based-malware
• Doesn’t solve everything but I am
loving Gpdf for Firefox and Chrome
Computers are made from
CPU, MMU and possibly GPU
• Computers are made from a number of
subsystems, many of which have own
processor and memory that are not
under direct control of OS
• June 2010 Bigfoot released an NIC with
its own GPU
• And then, there is the baseboard
management controller

5
Hot site is the Cadillac of
Disaster Recovery
• Hot site means equipment/network
is available and configured
• However, today’s environments are
so complex, that doesn’t work well;
too many changes too fast. VMWare
Site Recovery Manager has a much
better chance of actually working.
Or maybe alternate sites
• Paul Volcker as the Fed, argued for
redundant sites, database
replication, geographic diversity
• How geographically diverse? Think
EMP
http://www.newsmax.com/RonaldKessler/emp-electromagneticpulse-William-Graham/2010/04/05/id/354742

6
If you encrypt it with AES it
will be safe for 1000 years
• 2009, Alex Biryukov, Orr Dunkelman,
Nathan Keller, Dmitry Khovratovich, and Adi
Shamir, describe an attack against 10 round
AES 256 that is fully practical
• 14 rounds is NIST standard so don’t panic
yet
• Historical note, DES was still in common use
when it could be cracked in near real time
You have to have anti-virus
• Is the prevailing wisdom and it has
made its way to the auditor’s checklists
• 30k new malware per day from
automated systems, AV is 90%
effective at best and usually far lower
• What we have to have is endpoint white
list technology, and it is a pain

7
Incident Response isn’t that
hard
• In the past this was the domain of
the Help desk and primary tool was a
“cleaning kit”
• Today, you find you need an outside
specialist in response/forensics/
investigation/malware who bills at
$330.00 hour door-to-door
When you register a domain
get the .net and .org as well
• Yeah, and every country code and
domain suffix?

8
When you code, do all your
housekeeping at one time
• Get your file handles to input files,
scratch files, output files all in the
same function, so if you can’t do your
I/O you exit with a nice error message
• But, this allows a difference between
TCO/TOU which opens the door for
race conditions
Online banking is safe
because of security questions
• It is likely that you mentioned the
name of your pet on Facebook
• They usually only ask the security
questions if you do not have a bank
cookie

9
Online Banking Tips
• eTrade uses an RSA dongle, therefore it
is my primary account
• Get your paycheck deposited into one
bank account and do not use that
account for ANYTHING other than
paying bills
• Have a max of one bank where you
have a debit card
As long as they don’t go to porn
sites web surfing is harmless
• Surfing the web is probably the
most dangerous thing you do using
a computer
• NoScript Firefox, with Internet
Explorer I have Flash disabled, try
that and see how many web sites
fail

10
I run Microsoft Update so I
am pretty good, yeah?
• Actually, the odds are we have
expired, end of life and out of date
needing patches 3rd party
applications
• I run Secunia PSI 2.0+ to try to
manage this
You should never put more
than one service on a server
• This was one of the lessons of the
Morris Worm – 1988, if the server goes
down, you lose multiple services
• Today, we have blades hosting
hundreds of servers, however tools like
VMotion may be able minimize the risk
• State of Virginia went down for IT
August 2010 for about a week

11
OK, so what?
Stephen, you have shared some facts,
some I knew, some I didn’t, some I
need to research further, but what is
the point?
Future Shock Revisited
• 1970 – we are headed for a time of
increasing change, people who can
adapt will prosper, others . . .
• Coined the term “information overload”
which no one uses anymore even
though they are overloaded
• Concept of knowledge worker, who can
work from anywhere (Aloha y’all)

12
So, everything we know isn’t
wrong, it is just changing
Let’s talk about proven
strategy to stay effective
during times of change
Business “clue” during times
of extreme change
• Situational awareness, get in the
information stream, be alert for what you
can measure
• Know what is “evergreen”, adapting to
continue to deliver revenue as times
change and protect that above all
• Don’t change anything that is working,
save your energy for things that are not
working well

13
Security “clue” during times of
extreme change
• Threatpost
• ISC.SANS.ORG – hey, it looks a lot
more like English than it used to
• SANS NewsBites
• Scan Searchsecurity.techtarget.com
• At least once a month, really dig
into to a vulnerability or attack
Don’t force yourself or your smart
techie to try to figure it all out
• Use templates for system
configuration www.cisecurity.org
• Leverage the 20 Critical Controls,
especially the quick wins and
automated controls

14
Managing “across”, managing
peers
• Keep in mind that extreme change is and
has been a fact of life in security for a long
time, your peers in other areas of the
business may not be as used to it as you
are, give them some grace and time to adapt
• Also, not everyone needs to be a
technologist; a good business operator
brings in more money than a technologist 99
times out of 100
Managing the Boss
• Senior managers tend to be a little older
and less flexible
• Make sure to add value to the organization
and then hold your ground *in private*
• A compliment every once in a while
doesn’t hurt
• Practice giving accurate, but simple and
short explanations about technology
• Avoid FUD, that is so 1970s

15
Managing Direct Reports
• The two keys are capability and consistency,
make sure the same boss shows up every
day, push to improve capability
• Communication – if something does not get
done, first check to see if your direction was
clear
• Follow up, when you give direction set a
calendar tickler
Challenge Yourself
• Meetings, whitepapers, policy are
all important
• But don’t get so busy that you
don’t actually play with a tool every
once in a while

16
12 Laws of IT Power
• They can’t easily fire you if you are
the best
• Never speak to management in
hex
• At any given time know what the
best selling security books are
• If you help people learn what you
know, they will help you get the
work done
• Bet on people and bet large
• Be flexible - as long as you have
oxygen, power, water and
propellant, you have options
• No sensible organization
wants to mess with a
rainmaker
• Avoid unplanned requests for
money
• Be positive
• Teaming, the person next to
you knows something you
don’t
• Push back
• When opportunity knocks, be
prepared to take advantage of
the moment
Parting Thoughts
• Nobody becomes effective or irrelevant in a
day, either is the result of thousands of choices
• We all have the same amount of time: avoid
timewasters, seek timesavers, consider giving
up a low value task to pursue a high value task
• Decide what you want to accomplish, the steps
to get there, share it with a friend who will hold
you accountable, use written reminders until
the steps become habits and then disciplines

Emerging Threats

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von Rochester Security Summit

Mehr von Rochester Security Summit (13)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Emerging Threats