I’m Too Sexy For This Hack

2011/11/28 //
0
@iiamit @chrisjohnriley bring the sexy to the hack

@iiamit @chrisjohnriley bring the sexy to the hack

Discussion at the Security Zone conference has turned to the idea of defensive security – and why we are so terrible at promoting the importance of it.

@iiamit @davemarcus @indi303 @stfn42 @wimremes @chrisjohnriley and me (@myrcurial) have come up with the beginnings of a list:

0. Rediscover your passion for the job you have instead of whinging about the job you don’t have.
1. wake the fuck up and learn how your company works (for realz – not just the techie stuff)
2. use everything you have. whatever the “bad” guys use is fair game for u as well. research vulns on attack tools…
3. Intelligence. Gather it. On you, on your threat communities. Now use it. Intelligently.
4. You have more information at your disposal than you think (logs. Lots of them). Figure out a way to use it.
5. Remember that it’s the users (humans) that will screw you up. Make sure your “plans” include dealing with them (not just tech)

There is more. A lot more.

“Treat defense like offense. No rules, full-scope, in-your-face and a step ahead of you.”

“In football, no one cheers when the offense makes another 5 yards. People cheer when the defensive line crushes the offense. We need to achieve this.”

And from @bettersafetynet — “Take a page from #ptes and start jamming on a mind map?” — yes. Here: http://wiki.doinginfosecright.com

Categories Administrative

A Pattern Language for Infosec

2011/04/22 //
0

Despite the efforts of membership organizations, standards bodies, governments and individual contributors, several pieces of the infosec puzzle remain missing all of these years later.

It’s time to get back to solving the question: “What is InfoSec?”

A_Pattern_Language

Back in 1977, when men were men and the ‘stache was silken and long… Christopher Alexander, Sara Ishikawa and Murray Silverstein wrote “A Pattern Language: Towns, Buildings, Construction” which tackles the art and science of architecture and provides a description of the problem domain and the potential solutions to those problems.

As the authors write on p xiii, “Each solution is stated in such a way that it gives the essential field of relationships needed to solve the problem, but in a very general and abstract way – so that you can solve the problem for yourself, in your own way, by adapting it to your preferences, and the local conditions at the place where you are making it.”

Building the patterns for infosec is not an intractable problem – several people have begun the process – but no one seems to have finished!

Notable prior art includes:

(a) Final Technical Report: Security Patterns for Web Application Development – Kienzle and Elder – 2002 (paper mentions a website that is gone: http://securitypatterns.com)

(b) Weaponizing Noam Chomsky, or Hacking with Pattern Languages – Dan Kaminsky – 2007 (video link from Shmoocon 3)

(c) Security Design Patterns – Gunnar Peterson – 2005 (references the following two resources)

(d) Security Design Patterns (SDP) technical guide – The Open Group – 2004

(e) Dozens of publications – Dr. E. Fernandez – 2002-2010 (do an in-page search for ‘patterns’)

Here’s where you come in…

Let’s start filling up the wiki with good stuff.

DIRwiki-screenshot.png

Tags ,
Categories patterns

The Infosec Technofetish

2011/04/18 //
1

“To the glory of the blinky lights and shiny things.” ~~marching song of infosec 1999-2011

There are approximately one zillion pieces of hardware and software created for the infosec industry. Despite what the marketing departments tell you, there are really only three kinds of infosec technology:

  1. policy enforcement device – firewalls, antivirus, access control systems – anything that works to implement your infosec policy in the technical realm.
  2. measurement and instrumentation – IDS, SIEM – anything that tells you what’s going on in the environment, providing information on what’s already happened.
  3. special systems – Hardware Security Module – cases where you have a distinct and special need for somthing rather esoteric.

Keep in mind that function is more important than marketing terminology. Don’t let Vendors create yet another security device that you need to buy because there’s a new product definition. Determine how their new technology fits into your pre-existing set of policy enforcement, measurement and instrumentation and special components.

Tags , , , ,
Categories technology
« Older Entries