(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘The Industry’ Category

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments

Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities

Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.


Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.


Top 5 ways to destroy a company.. But Will They Sign Off On That?

leave a comment »

I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”

The truth of the matter for me comes down to a few different factors:

  1. A lack of understanding the results that you present them
  2. A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
  3. A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client

Nickerson too gets to this and asks;

Well why does that happen?

  • What we give them isn’t important. Managers don’t care about shells!
  • They don’t care about what we care about!

What do they care about?

  • The product line
  • The Brand
  • The Employees
  • The Bottom Line

I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.

Top 5 ways to destroy a company

  • Tarnish the brand
  • Alter the product
  • Attack the employees
  • Effect financials directly
  • ** Your turn! **

The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?

The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)

The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.

Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;

“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”

It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.

So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:

  1. Profile the business overall, where they are in the market, and their history
  2. Profile their business model and their product or products
  3. Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
  4. Profile the employees and C levels (are they engaged? Do they buy in on security?)
  5. Formulate scenarios that would cause varying levels of damage (targeting them)
  6. Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits

Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.

I think that is what he was driving at through all of the ranting…

So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.


“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Trois

leave a comment »

The Playing Field:

In my previous installments of this series 1 & 2, I discussed the general environment and the players within the infosec business, now lets talk about the specific playing field, or more to the point, the rules of the game thus far. It would seem that the playing field is always changing and never really defined because of the nature of the technologies involved. Technology is evolving quickly and so are the security risks to those technologies.

Given that we have a moving target to begin with, you have to then look at the methodologies used to “audit” a company/facility/system/network/processes What once may have worked very well, may no longer work because the technology has changed or been made redundant. You also have a large “human” element to deal with in any security assessment not only from the point of view wherein social engineering is used, but also the vagaries of human nature such as sloth. Laziness as well as clueless-ness can destroy the security values quicker than a new Microsoft vulnerability in the wild.

Also, as I said before in the previous posts, the management and the ego’s/political chicanery that also goes on within a company is also a major factor in having a successful audit cycle where the recommendations are actually carried out. If you have a bunch of C level louts who want nothing to do with the proscribed fixes, then they will not get done and the security picture is a truly broken one. This too also points back to the human nature factors.. and well, no need to beat the horse, it’s already dead huh?

What it all boils down to is this; There are just way too many ways that a company can open itself up to vulnerabilities and it takes a rounded approach to do the due diligence for that company’s security posture. Just as important is the fact that the information security business has become a leviathan full of competing entities from the quacks to the bleeding edge and what you need to do as the auditor as well as the client, is separate the wheat from the chaff to do what’s best for the “security” of the company/client.

Current Approaches to Security Auditing:

Information security as it is today has been evolving since the dawn of time. Everyone’s got secrets that they want to keep.. Well.. Secret. Anything from the secrets of how to make a strong steel sword to the secret sauce used in a chicken recipe. Over the centuries methods of protecting these secrets have evolved. From simple hiding places cut out within books to elliptical encryption schemes, they are all seeking the same thing, to keep what they have from getting out in the open.

Today, we have a set of technologies that are evolving by the minute that all potentially place all our data that we want to keep to ourselves, out to everyone able to connect to the network. In a way, oddly enough, it seems to me lately that if you really want to keep something secret you have two choices for doing so:

1) Keep it in your head, never write it down, and never utter it aloud

2) Create a one time pad, encrypt it, and eat the pad… Yeah, you will never be able to decode it, but, it will stay “secret and safe”

All other methods, well even these, can be subverted and your secrets accessed. Whats even more readily so, is if you house that data on networks, hard drives, papers, post it notes etc. All you can really do is take due care to insure that it will be that much harder to access the data in the first place and to encrypt it so that it would take someone a considerable time to decrypt it. Remove that layer of encryption today, and you might as well make a truck based billboard and drive around with your secret sauce recipe in large bold type for everyone to see. Its just a fact that even if you take all the precautions, there is still a good chance that your data will be stolen.

Its just the nature of the beast… Ask the Pentagon…

So, with those words ringing in your ears, you might be thinking “what’s the point then?” Well, if you are doing the due diligence then the likelihood of that data not only being accessed but used, is much less likely…. And I would take much less likely over a sure thing any day really in this business. So, how we go about the process of trying to place protections into the companies, networks, and systems is a key to the overall security value that we leave them with.

These are the current methods of auditing in the business today:

  • Ethical Hacking/Pentesting

The Ethical hacking is a good thing but a very narrow method of testing security. You are usually given a sliver of time and a list of targets (if you are lucky) On average though, the system that the client is wanting to test with this kind of test is something they have attempted to protect already and just want to be sure its secure. Meanwhile the back end and everything else around it may be un-secured and lead to utter compromise.

This is a good model for small testing. If you are lucky and given a whole network to check, then you have more latitude, but all too often the targets are too narrow as well as the time frames to really have great meaning to the overall security posture of a company/system/network

  • Vulnerability Scanning/Reporting

Many clients do not want a hack performed. Many more times you will have clients that want to just have a vulnerability scan run to see where they may have problems. This can be beneficial in that you usually get a larger target area to scan and if you do the work right (not a fool with a tool) and hand check the results for proof, then you can reasonably tell the client where their technical problems lie. Of course this too is also basing the findings on a tool or set of tools (as you should use multiple tools) to gauge the security issues.

The vulnerability scan also gives you an ideal pov to look at the overall network architecture. This can also be used to show how vulnerabilities logically also can lead to great and small compromise. Perhaps this could be its own sub-section called “network architecture assessment” but, this often can be just tied to the vuln assessment.

Some would say at this juncture also, that unless you truly exploit the vulnerabilities and show them you can steal their data, they will do nothing. I would say that this is a little self serving in some cases on the part of those who want to just hack, but I would also say that often, it is the truth because of the lack of awareness on the clients part where the odds of compromise are concerned.

All too often the client thinks that no one else but this hacker in front of them could do that magic thing that they are warning them about… “Inconceivable!” So, even if you show them the proof of concept, they may still write it off as an acceptable risk… Human Nature at work.

  • PCI/HIPAA/SOX audits (Policies & Procedures)

Here we have one of the least loved audits on the part of many in the security industry and yes, it can be tedious work. However, I would say that this is an integral part of the security picture even if the actual regulations out there are weak and toothless for all intents and purposes. Of course a hacker would say they are unimportant because they can still exploit the new 0day and game over, but, that is just one vector and relies on the technology being 0day’d

The reality though is this: All too many times there is WAY too much low hanging fruit to be found to exploit at companies because they have little to no solid security policies, procedures, and standards. Whats more, the 0day exploit that the hacker would love to use might be negated IF the company has been following processes that might block their attack.

Its been known to happen.

So for all those out there who feel that the audits are useless.. Maybe they are if you just have a non technical auditor from say, PWC. Its just a check box for them to check off as to whether or not you have them in place. They may not even take the time to really think the documents through in their heads to see if they make sense. THIS is a real disservice to the client and lends no security value whatsoever.

What needs to happen, and I have been seeing a trend of lately is that the auditors out there are including a more technical person in their teams. Someone who can map the policies, procedures, and standards maps to actual technical security maps. Once you meld the two together you can explain fully on how a missing policy can lead to a compromise of the company data.. Hell, that technical person can even show you the actual exploit at work if they are allowed.

At present though, I don’t see too many PWC teams who do this. As well, I don’t see too many teams in the industry performing this as well as hacking all in one package that MUST be tied together. So far, its been more of a buffet style menu out there in the security industry for auditing.. Never-mind the technical snake oil sales of “one product to protect you from everything” mentality today.

  • Physical Security Penetration Testing & Social Engineering

Physical penetration testing is not often something that companies contract for usually. At IBM we usually had this as an “added value” assessment that you could “maybe” sometimes get to carry out. I know others who perform these tests as BAU too and in each case, I think these kinds of tests or observations, should be an integral part of a security report to any client.

It is often said that criminals take the path of least resistance.. I believe that to be true, so why am I going to lay siege to your firewall if I can just walk in and gain access to your data locally? Its basic principles of warfare here and you do what’s most expeditious to make quick work of the battle. Frankly too, the softest part of any company is its physical site, and its employees.

Without a proper perimeter, as well as aware employees, one can gain access to the keys of the kingdom fairly easily and quickly and then its game over. Just as easy may be just sidling up to an employee and playing clueless on site to get whatever you need. All you need to do is have a grasp of human nature and you can win the day.

  • Coding and Code Audits

Coding… The bane of everything security. Why you ask? Because its the basis for 85% of the vulnerabilities out there. Poor coding practices from the application to the OS levels are a boon to the adversary. Lately the movement I have seen within the security literati has been to lament against the poor coding practices out there by the big companies making our applications and operating systems.

You know what? They’re right. However, what is it that they are saying here?

Hmmm… How about this “Where are your coding standards? Procedures? Policies? Due Diligence anyone?”

Yep, we are back to the level of policies, procedures, and most of all STANDARDS!

Yes Virginia, the standards are lacking from a local to a global perspective on secure practices. Just look at the whole debacle over voting machines and ATM’s *cough Deibold cough* All you really have to do is just look back a couple weeks to Black Hat and the one arm bandit talk on ATM security.. Or more to the point, lack thereof. This is a big issue that stretches from the big companies selling coded products to the companies designing and implementing poorly coded systems internally that lead to compromise. After all, how many times have we all seen hard coded passwords passed in the clear on local networks huh?

Can There Be A Holistic Security Approach?:

This brings me to the crux of my point in this article. Can we in the industry actually get a process in place where the audits cover all of these areas as mandate and lose the whole buffet approach to security? The buffet approach just does not work overall and something needs to change. We need to be able to go to a company and give them an overall fitness report on security with recommendations on how to fix the problems. Without this, the assessments will always be just CYA for a particular area of a company while the rest of it burns like Rome under Nero.

Are there any companies out there that only offer this?

Would this actually be a viable business model today?

I would like to think so, but unless there is buy off on the idea as  a whole, well, we are back at square one feeling frustrated at the business and the quackery huh. However, the nature of security is at odds against us here isn’t it? After all, aren’t we all Cassandra’s here? No one really wants to hear what we have to say because its scary and requires work.

And that’s the rub isn’t it?

Can We Get Companies to Code Securely and Ethically?:

Finally, that 85% of the problem? Yeah the coding practices… Can we as a country, never mind a global community, actually force companies to code securely and perform ethically? It would seem not because of the nature of business today at the very least. Look at what has happened with corporations and the economy with regard to Wall Street and such. Sure, there’s all kinds of legislation being made now, but really, are those rules going to stop the companies from doing bad things?

So how do we enforce the secure coding of applications and operating systems if the laws are not in place to mandate they follow the standards?

Best Practices? Uh yeah, often you get a laugh out of that when you mention this as what must be done. Without a real disincentive the companies will continue on with sloppy coding to bang it out and get units on the shelf and duckets in the bank account… Oh, I can hear the Republicrats and Libertarians freaking out now…

Time For A Sea Change:

In conclusion, I think that unless we get a handle on the regulations as well as the paradigms for change within the security arena, we will be forced to just be that same hamster in the wheel. We can see the cheesy bit outside the lexan of the cage well enough, but we just can’t seem to get there to get it.

Time for some solid change.


Up next:

Opposing Forces:

The Government and Compliance:

The Corporation and the Seven Deadly Sins:

Crackers, APT, and Bulgarians Oh My!:

Written by Krypt3ia

2010/08/13 at 14:05

“Strutting and fretting his hour upon the security industry stage, And then being heard no more”

with 4 comments

The Frustration And Gnashing of Teeth:

Recently, I have heard others lament the state of the “security industry” as well as have posted about my own adventures into the land of FUD and Security Theater as well as a side trip into the shadow lands of denial. My last post about a call that went awry also got responses from others in the business including Mr. Reiner, who had a post somewhat similar to what I had written about, but took it further. His post mirrors much of what I am hearing and feeling myself now 13 years into it.

  • The industry has become just that, an industry that makes cookie cutter security and passes mediocre services as “state of the art”
  • The industry is now full of salesman and charlatans like Gregory Evans and Ligatt
  • The clients still just don’t get it and often do not want to
  • There are too many bells and whistle firms but too few true “holistic” security offerings out there
  • The exploits and vulnerabilities are growing at a rate faster than Moores Law and never will there come a time when you can catch up
  • Nothing is truly secure
  • Regulations are inadequate mechanisms for security best practices inspiration (notice I do not say compliance here)
  • Coders and the companies that hire them are coding insecurely and do not wish to change that
  • Greed is Good (Gordon Gekko)

Generally, the experience out there is that as everything else that someone loves to do as an avocation which turns into a vocation, becomes not so much fun anymore when business gets involved…. Especially big business. Unfortunately, this is exactly what has happened today with information security/technical security. It has become a pre-packaged, pick your services lunch counter style of operation and you rarely get what you really need and instead get the fatty happy meal instead.

Taking A Step Back:

As professionals in the field we all have different skill sets and personal bents on and in the security theater. I am putting us all into the “theater” because really, we are all like Shakespeare’s players who: “struts and frets his hour upon the stage, And then is heard no more” We are in fact often times the character of “The Fool” The one man who is the outward conscience of the king and the one person in the court who can tell the truth to the monarch that they indeed have no clothes on. Of course this really only works for those who are contractors/consultants and can then leave the site after leaving a report on their vulnerabilities and how to fix them. Unfortunately, if you are a full time employee of said “court” you may indeed find yourself in the oubliette quickly enough. We need to embrace this fool role and then decide just how we will approach our careers as well as the means in which we ply our trade for the betterment of the courts we serve in.

One must remember that we all serve the will of the king… And sometimes the king is an idiot, lout, Luddite, or schmuck.

My Goal Here:

My goal with this post and what I think is shaping up to be a series of them, is to cover the players involved here, the game being played, and the realities of our business. So many of us are running into the same walls and I have been hearing the same things over and over from you all out there as well as in my own head as I deal with clients. All too often we do our best to tell the client that they have things that are vulnerabilities within their organizations as well as their infrastructures all for naught.

Others see the bigger picture of with everything that we do, there still is always a way into the org and their infrastructure and a method to steal their data. All too often this also happens because of simple low hanging fruit attacks such as SE attacks or completely un-secured networks that lack policies and processes that might in fact prevent much of the attacks from happening were they documented and in force.

Still others see the grand scale of not only the snake oil salesmen out there but also the malfeasance of the companies that make the software and hardware systems (might I mention ATM machines Deibold? yeaaahhh I think I will) that are completely insecure and egregiously so! Even in this day and age where hacking/cracking is so prevalent they STILL do not want to take the time and the effort to code securely… And as Weld Pond said today


To that end, I have created the following framework for the posts to come. Some of them are posed as questions and if you like, you can comment answers that you think apply. Overall though, I would like to pull the security industry apart as well as the motivations for not only the vendors, but also the clients. I want to lay out all the players and variables, examine them all, and then come up with a strategy for what I am currently calling “Holistic Security” (I know all scented candle touchy feely new age sounding) A method of looking at the security needs of a client and offering them what they really need as well as methods to bring that client to the troth to drink from the security well.

I know.. This is going to be nearly impossible huh?

It’s either this or just packing it in and walking away though… Really… Once you reach a point where you hate the job and you feel constantly that you are doing nothing to change things you either have to walk away, or make drastic changes happen.

What do you think? Don’t you think that with all our SE and other skills we ought to be able to overcome all this?

Check out the future post framework and let me know… I will work on the players tomorrow.


The Players:

Some of us Just Want to Have It Done Right:

Some of Us Just Want to Hack and Do Cool Shit:

Some of us just want to Be Researchers:

Some Are Just LIGATT:

The Playing Field:

Current Approaches to Security Auditing:

Can There Be A Holistic Security Approach?:

Can We Get Companies to Code Securely and Ethically?:

Opposing Forces:

The Government and Compliance:

The Corporation and the Seven Deadly Sins:

Crackers, APT, and Bulgarians Oh My!:

Every Fortress Falls:



Lockheed Martin

Is There A Framework and Methodology For Holistic Security?:

Security Basics:

Security Awareness vs. Human Nature:

Policies, Procedures, Standards, and Compliance:

Penetration Testing:

Social Engineering:

Written by Krypt3ia

2010/07/29 at 01:42