J Wolfgang Goerlich's thoughts on Information Security
Unified threat management - multi-function firewalls

By wolfgang. 24 June 2011 17:21

You bought an all-in-one printer. It seemed like a good deal, right? All that multi-function goodness for only a few dollars more than the ink for your current laser printer. Bet it didn’t take long for the good feeling to sour. Jammed paper, smeared faxes, and the like.

Printers gave multi-function a bad name. But firewalls may bring multi-function back in vogue. Specifically, I am looking at the Fortinet Fortigate products. Fortinet has cornered the market on unified threat management (e.g., multi-function firewalls). These devices ship with built-in firewalls, routers, vpns, intrusion detection, Wi-Fi, and more.


Use case 1: novice who needs to get up and running quick. The unified threat management gateway answers that need. The device is preconfigured and integrated. There are options to set, of course, but the time to get the system online is hours rather than weeks.

Use case 2: the dyed-in-the-wool security people. These folks have the time and budget and knowledge to continue to build dedicated security appliances. Such people have an edge over defending their networks for all these threats. You do the cost benefit and if you’re in a mixed role like mine, doing security operations and network operations, I wonder if it’s worth it.

Use case 3: the pragmatic security people. Compared to dedicated point solutions, the unified threat management gateway provides a majority of the security feature-set at a fraction of the cost. Pragmatic security folks can then redeploy their resources to addressing more pressing security concerns.

Needless to say, I am sold on Fortinet’s approach. Consider that every 18 months, silicon is pushing more bytes. We can either get better performance from a piece of hardware, or more functionality from the same hardware. Fortigate means simply doing more with less.


Security | Systems Engineering

Hello SSAE16

By wolfgang. 15 June 2011 09:42

As mentioned in my last, SAS70 has offically retired. SSAE16 (Statements on Standards for Attestation Engagement No. 16) has taken its place and improves upon SAS70 in several ways.

The improvements come from a shift of focus. SAS70 was about ensuring your control framework was sufficient and functional. SSAE16 is about ensuring your systems -- including deployment and controls -- are sufficient and functional. SAS70 was focused on the control structure around specific threats. SSAE16 incorporates risk management and ties together risks, threats, and controls. Going into this, SSAE16 looks set to provide a more complete result.

Another improvement is in the shift from audit to attestation. SOX (Sarbanes-Oxley Act of 2002) requires executive management to attest in writing to the accuracy of the financial statements. comparison, SAS70 does not require attestation. SSAE16 supports SOX by requiring a written attestation of the audit's accuracy from executive management.

SSAE16 should provide a holistic audit with greater executive management participation. This is the first year I have done one, and my audit period begins in a couple months. Wish me luck!


Risk Management | Security

Goodbye SAS70

By wolfgang. 15 June 2011 08:29

SAS70 officially retires today, June 15, 2011. Taking its place is SSAE16.

SAS70 (Statement on Auditing Standards No. 70) is an audit framework that external parties follow to check the state of your controls. The audit is performed by financial services firms, and takes a top down approach. The objective is to ensure that financial results are recorded and reported accurately.

SAS70 has few common complaints: it lacks an objective technical spec, is carried out by CPAs at accounting firms, and misses technical details that leave businesses open to attack.

The SAS70 process emphasizes a truism that IT security folks sometimes lose sight of: the goal is securing the business’s ability to perform in the market. Though related, this is separate from the goal of securing all IT systems.

The SAS70 audit is top down and focused primarily on what drives the financial reporting. It is about prioritization. What is the top priority to a business? Financial success backed by accurate financial reporting.
A vulnerability assessment is bottom up. Your complete security audit would primarily focus on the IT domain, emphasizing technical controls and technical implementation. An audit here would tell you about your firewall ruleset and patching state, for example. What is the top priority for an IT security team? To not get breached.

These two priorities are not the same. Financial success does not prevent security breaches. Likewise, security breaches do not preclude financial success. Therefore, it makes sense to have separate auditor teams looking at the two separately.

As to the complaints of SAS70 audits, let’s step thru them with this background. First, there is no objective standard written into the SAS70 language. The result is that the applied standard is fluid and keeps up with the current standard of practice. Given SAS70 has been around for nineteen years, I think this speaks to the benefit of having an open-ended standard. Second, CPA firms rather than technology firms perform the audit. The benefit is that the resulting audit is driven from a financial perspective and scoped accordingly. The folks that I have worked with are very knowledgeable and are computer savvy, and often carry a CISSA or CISSP along with their CPA

So I found that SAS70 was a valuable tool for a top-down control assessment. As with all these standards, pairing the SAS70 with bottom-up technical assessments is necessary to truly secure an environment. The SAS70 had a positive impact on the industry, and I believe the SSAE16 is set to do the same.


Risk Management | Security

Tip: Google a Domain for Hosts using Python

By wolfgang. 12 June 2011 11:58

I wrote about using dig to perform a DNS zone transfer earlier this year. Such a transfer returns a complete list of hosts that can be targetted. This is generally used as a sanity check because any DNS administrator worth their salt disables such transfers.

Another option is using Google. While not a complete listing, Google will return a well known listing of hosts. The only downside is that it takes some time.

Well, not any more.

Tim Tomes (LaNMaSteR53) released a tool this month called GXFR. GXFR is a Python script that is available for download on googlecode. "The technique involves making search engine requests which restrict the url and site to the target domain. Then, based on the results of the search, excluding the subdomains that are returned. Repeat until the search engine returns 0 results. The final search query excludes all of the public facing subdomains that the search engine is aware of. Conduct a dns look-up of each of the identified subdomains, and you’ve got yourself a dns zone transfer of all the subdomains with public facing web servers."

Check it out on Tim's site. Quite a nifty script.


Security | Systems Engineering

B-Sides Detroit overview

By wolfgang. 6 June 2011 12:46

Do information security conferences seem a tad corporate these days? Too staid? A little too serious? Maybe, maybe not.

Fresh from Source Boston, I definitely had an expectation of security conferences that the new BSides Detroit blew away. Forget vendors and booths. There were none. Forget nametags. How about a piece of tape with a sharpe, eh? Forget av equipment with wireless mics. Heck, forget even having a projector screen. Throw up the slides on an improvised canvas. Let’s get a room full of tech people with a hacker bent, get them talking, get them thinking, and get them outside of the typical conference mindset. 

Outside the norm: that defined the atmosphere this past weekend at the OmniCorpDetroit hackerspace. Present the can-do raw creative experience. BSides Detroit was different, fun, inspiring.

ighlights from the talks are below. I hear planning for a 2012 event is already underway, so more good content to come.

High-level talks:

Rafal Los: Ultimate Hack - Manipulating Layers 8+9 [Management & Budget] of the OSI Model. If you’ve been following Raf’s #SecBiz threads, you know he has been stirring the pot. Think social engineering meets Dilbert corporate America. For me, this was the talk that made the conference. I am hoping to get Rafal back into the area to give us an encore.

Chad Childers: Towards Data Centric, Technology Agnostic Security. I am sure there’s been at least once in your career where you have thought, heck, Bell-La Padula and Biba security models should be good enough for anyone. No? Well, good, you have not been touched by the CISSP mindset. Chad broke down the classic models and argued for a data-centric model, possibly based on ccREL, S/MIME, virtual smart cards, and DRM.

Nuts-and-bolts talks:

Brett Cunningham, Jack Crook, Matt Sabourin: Intelligent Fuzzy Hashing for Malware Similarity and Attribution. We all know that regular hashing (MD5/SHA) works great for finding identical files. But how do we find similar files? Use Fuzzy hashing with tools like ssdeep, which give an indication of how similar (in terms of percentage) two or more files are. Possible use cases include forensics, plagiarism, malware analysis, and data loss prevention. The cool thing is that they are launching a project (www.allsum.org) to integrate the technique with intrusion detection and malicious code detection. 

Mark Stanislav: It's Vulnerable... Now What?: Three Diverse Tales of Woe and Remediation. I am not a PHP programmer. I am less AppSec, and more NetSec. But none of that mattered. Mark’s common sense talk on PHP security was good fun. What’s more, his emphasis on vulnerability disclosure as a community responsibility spoke to me. Just as we would not walk by garbage on the street without addressing it, we cannot ignore garbage in the code. We have an obligation to help keep our Internet clean.



Security | Security Information Management | Systems Engineering

Out and About: Detroit's B-Sides

By wolfgang. 2 June 2011 03:44

I will be at the B-Sides Detroit this Friday (6/3) and Saturday (6/4). I am looking forward to meeting up with the local InfoSec talent.



Out and About | Security

    Log in