Security site to bookmark: www.openioc.org

Sharing information about real threats and real attacks

We human beings live in communities. The threats that may affect our group are an important information element communicated to our peers. This piece of information brings greater preparedness against potential risks. In addition, if those risks do really materialise, a faster and more effective reaction is possible.

Something similar can be seen on the Internet: www.openioc.org is an example of this. It proposes an automated way to share information about real threats on the Internet.

According to its homepage, OpenIOC "facilitates the exchange of indicators of compromise ("IOCs") in a computable format" i.e. ready to be processed by information systems such as intrusion detection systems and application layer filtering firewalls.

Each compromise indicator contains three elements:
- First, the metadata, which provide contextual information such as the author of the indicator, the name of the indicator and a brief description.
- Second, references, so you can link the indicator to a particular wave of attacks.
- Third, its definition, which describes its specific infection mechanisms and operation.

A valuable detail of this format is the possibility of using Boolean logic to filter indicators automatically.

OpenIOC is an extensible XML encoding protocol initially designed for Mandiant security products such as "IOC Editor", a free XML editor for indicators of compromise, and "Redline", a compromise verification tool for Windows installations, also free.

Security incident responders were interested in this initiative and finally Mandiant OpenIOC standardised and made it available to the open source community ("open source") in 2011.

OpenIOC is currently an open initiative. For example, in OpenIOC Google Groups there is a very active forum where you can get information on how to use this format with log analysis tools like "Splunk" or references of indicator repositories such as www.iocbucket.com.

Based on the increasing number of security incidents on the Internet, related information sharing will grow over the coming years, especially among companies with a similar risk profile.

Perhaps a pending task of this project is to implement a non-intrusive compromise detection service for end users outside major corporations.

Happy protection!

You can also read this post in Spanish here.

Fly high!


Book Review: Steve Jobs Hardcover by Walter Isaacson - Lessons for Information Security?

Steve Jobs by Walter Isaacson - Lessons for Information Security?

I went through Mr. Isaacson's Steve Jobs' biography and I would like to share with my information security community some, very personal and biased, learning points, potentially applicable to our industry.

As always, the intent of this post is not to replace the reading of this highly interesting and very well written book by Walter Isaacson.

- The author talks about reality distortion fields and how some people live on them and the difficulty to interact with them for the rest of the mortals when we realise that their reality is different to ours.

In information security there are many people within reality distorting fields.

- However, there is a positive side to reality distortion fields, sometimes they become reality if effort, passion and innovation (and luck? and timing?) kick in.

Totally applicable to information security.

- Even introverts need a dense and effective network to succeed in business.

Frequently forgotten in Infosec.

- Successful business people does not equal successful parents.
- Successful business people does not equal ethical colleagues.

- Selling abilities are key in every social aspect of our lives (business, social, family).
- Some things definitely cannot be patented.
- Money is a hygienic motivational element.

- You can shift working passions during a long period of time (11 years passed since he was ousted from Apple until he came back).

Also very applicable (but hardly applied) to infosec people.

- Charismatic people use to have more troublesome lives than peacefully smooth characters.

Just go and attend any security conference, mingle with people around, and you will confirm this statement.

- The way a company is run can benefit hugely from innovation. We can innovate in the way we manage a company, or a team.

Totally applicable to information security.

- Brutal honesty is a management approach, up to the actors (the sender and recipient) to accept it or not.

- Marketing is key - so key that every Wednesday afternoon, every week, the CEO would meet their marketing people.

Marketing, the forgotten element in most Information Security units.
 
- Do you control the end-to-end the experience your customer or user goes through when using your product or your service?

Innovative element that security practitioners can apply from day one when they design their deliverables.

- Internal product cannibalisation? Go for it - Otherwise other companies and products will cannibalise yours.

Applicable to our information security products? Certainly. Let's do it.

- Persistence: key for success. Sometimes it's years what we need to devote for
something to succeed.

Is our industry persistent enough? Nice topic for a discussion.

- The second-product effect, if your company does not know why their first product was a success, then they will fail with their second product.

Have it in mind when expanding your security portfolio.

- Electronic communication is fine, but it you want to trigger and foster innovation, make physical communication, face to face, happen.

A piece of wisdom here for our industry, in which we overuse non-physical communication channels.

- Do not mention the ideas you have for a new product before you launch it... or someone else will be faster than you.

Already applied in our industry ;-)

- Privacy and running a publicly traded company create sometimes some conflicts.

Difficult to accept sometimes, but privacy is (or will be) already gone?

- Sometimes a product launch is a failure and later on it gets transformed into a historic breakthrough, especially if you use powerful marketing to let people know how they can use it.

Again, a link to smart marketing that in our industry still does not exist.

- Sometimes, going through serious health problems does not make rough characters softer.

- A feature of apple's culture: "accountability is strictly ensured".

Tough but effective.

- One of the next revolutions to come: textbooks and education. They really did not change a lot in many years.

Are we still on time in terms of securing the coming new learning experience?

- The clash of two different technology philosophies, open versus closed in terms of where software runs and the different approach Microsoft and Apple followed.

- Things can really change (although most of the times you need time, passion and patience). E.g. in 2000 Apple was worth only a twentieth of the value that Microsoft had in the market; in 2010 Apple surpassed Microsoft in market value.

- You choose, in business, either devote the time to start dying or devote the time to start being re-born.

- And, last but not least, when death comes to visit us, we all strive to get that piece of mind that was difficult to find during our lives with our people (family, relatives, colleagues, etc.).

Happy innovation!

Being fast!




Book Review: IT Risk: Turning Business Threats into Competitive Advantage by Westerman and Hunter

This post provides a very personal review on the book titled "IT Risk: Turning Business Threats into Competitive Advantage" by George Westerman (Research Scientist @ MIT) and Richard Hunter (a Gartner fellow) published in 2007.

A book mainly for executives and for those requiring some foundations on why and how information security, also known as IT risk, can be implemented in an organisation today.

It is encouraging to see how some of the learning points present in this book already appeared in this blog in 2006.

As always, an important disclaimer, this review does not replace the reading of the book. On the contrary, it motivates to read it. Thanks to the authors for their research work.

In 9 chapters, the authors provide simple but powerful ideas on how IT risk is really linked to business risk and how both risks can be managed.

The first chapter states how IT has become central in organisations today. However, IT risk is still seen in IT departments. This traditional way of seeing things is proven to be partial and not fully future-proof. The authors remind us how decision makers in organisations need to be aware of the business risks created by IT risks.

IT risks needs to be factored in in business and business risks need to be factored in in IT. The notion of perceived risk is also mentioned and how attention and resources are mostly given to those perceived risks (and not to all existing and real risks).

The authors finalise this chapter with the 4 A's model i.e. risks can be broken down into 4 categories: availability, access, accuracy and agility.

The second chapter presents three disciplines as required ingredients to manage IT risks:

- A well-structured foundation of IT assets.
- A well designed and executed risk governance process.
- A risk-aware culture (different from a risk-averse culture).  

The third chapter mentions the traditional (but powerful) idea that investing in prevention is less expensive than spending in reaction.

They present the IT risk pyramid, being availability at the bottom, then access, then accuracy and finally agility at the vertix.

The fourth chapter expresses the need to simplify the first mentioned ingredient i.e. the IT foundation. This shows the importance of IT and enterprise architecture. When will a business service be migrated to a simplified foundation? When the business risk to keep it in the legacy system is greater than its business value.

The fifth chapter proposes a traditional risk governance process using concepts such as impact and probability. Threats are actually not so mentioned though. They also touch upon the importance to engage decision makers in these governance processes.

The sixth chapter talks about a risk-aware culture and how this starts at the top of the organisation. A risk-averse culture does not really avoid risks. It just neglects them. Two useful concepts are mentioned: Segment different audiences and communicate regularly.

The seventh chapter includes some checklists that would guide the risk manager throughout the implementation of these ingredients.

The eighth chapter provides some keys on the future and the ninth chapter summarises the main learning points.

All in all, a mostly traditional (with some innovative elements) reference that can help our readers to navigate through the business ocean.

Happy risky reading!  

The sky is the limit!

Book review: The regulatory craft - Controlling Risks, Solving Problems and Managing Compliance by Malcolm K. Sparrow

Are you working in a policy-setting team and, at the same time, would you really like to see problems occurring in reality being solved?
How do you normally answer the typical dilemma between theoretical governance and effective policy-implementation in reality?

If the answer to the first question is "yes" and the answer to the second question is "hardly", this book by Malcolm K. Sparrow is for you. Also if the answer to the second question was "I am doing fine but I am running out of ideas", then this is your book to read, too.

It has 4 parts, about 330 pages and a myriad of real examples coming from the author's broad experience.

Part 1 sets the scene describing current regulatory practices and the very much used process improvement approach. A useful manner to achieve a gain delta i.e. improvements (but non-major) in policy implementation.

Part 2 proposes an innovative way to achieve bigger gains than those obtained with process improvement. The author calls it "problem solving" i.e. the capacity to focus on a specific non-compliant situation and to make it compliant. In other words, the possibility to solve real problems, one after the other.

Once a problem is listed, identified and selected, it needs to be precisely defined and, as important as that, the problem-solving team needs to set up a way to measure impact.

Only when these initial steps are thoroughly reflected and mature, one can start with the design of the measures to be taken and their implementation and monitoring. It seems pretty common sense, however, this approach is often not followed.

Together with this problem-solving approach, the author mentions different systems that need to be in place: a problem nomination and selection system, a resource and responsibility assignment system, an oversight and review system and finally, three additional systems: a reporting system, a support system and a learning and reward system.

Clearly problem-solving is not just an ad-hoc alternative to process improvement. It is a thoroughly thought through approach to manage compliance while providing value to the community.

With regard to reactive, proactive and preventive techniques, the author states that the three of them are valid and useful. He adds a valuable ingredient: using risk control as the meter to decide which technique to use in each moment.

Part 3 of the book is precisely devoted to risk control. The innovative element that would empower compliance in their quest towards excellence. The author makes risk management pivotal to apply problem solving techniques.

Risk management methodologies (like the ones also mentioned here and there) and strategic thinking would then become working tools to guide our daily work and to make it effective, regardless of the compliance field we are working on.

Worth mentioning are three risks whose treatment is, according to the author, somehow challenging: "Invisible risks", "risks involving opponents" and "risks for which prevention is paramount".

Certainly in a risk-centered world, the task to assess current and new risks, mostly know as intelligence gathering, becomes crucial for success.


The last part of the book, Part 4, provides examples and summarises proposals.

All in all, a reference for those responsible to make out of a compliance agency a successful story!

Happy problem solving and risk control!

Solving height problems



Security sites to bookmark: blog.didierstevens.com and rootshell.be

Belgium: Waffles... and security

The professional activities that we undertake within our company, be it our own shop or our employer, can, and should, benefit from all our other security related activities. The two Security Sites I recommend to visit confirm this. Both are written by well known names in the European Information Security community: The Belgians Didier Stevens and Xavier Mertens.

As securityandrisk, Didier Stevens created his blog blog.didierstevens.com in 2006. Since then, he regularly publishes very practical and technical security articles. Didier pays special attention to network security. The quality of the blog invites you to visit his own business' site didierstevenslabs.com, especially dedicated to pdf and "shellcode" analysis.  His company site is accessible from blog.didierstevens.com.

Xavier Mertens, with his unique "Belgian balloon fish" avatar, present both in his twitter account and blog, is the author of rootshell.be. On the Internet since 2003, rootshell.be publishes, together with his presented papers, very detailed summaries of the security conferences he attends. This is an opportunity to know what happened and what was said there. As in the case of Didier,  rootshell.be also links to truesec.be, his own security company, specialized in log management and security testing.

Both authors discuss security issues that are useful to our everyday job. From the pages of their blogs, they both link to some security tools (both Didier and Xavier). Didier proposes his own Microsoft Windows process-related utilities and Xavier introduces evasion tools such as "PingTunnel" and "Dns2tcp".

Information security is still a working field in which many breakthroughs, ideas and new developments come from "informal" channels such as blogs and security conferences rather than through formal academic degrees and scientific journals in the field. These two sites confirm this trend.

In short, the visit of these two personal sites from well-known Belgian security experts gives us ideas for our professional life while they nicely introduce the security companies they have created.

You can also read this post in Spanish here.

Happy Belgian security reading!

Making bridges