I’m moving

I’ve finally got round to setting this blog up at my actual URL –

http://kevinfielder.co.uk

All historical posts have been moved there, and that will be the home of all future posts.

I have been looking at ways of separating out sport and IT / security posts into two separate blogs on the same site, however despite UK2 assuring me this was possible with their normal hosting package, it transpires that I would need to invest about three times as much per month to have their business package in order to be able to host two personal blogs.. The search continues, but I will be setting up clearer tagging and some links at the top of the home page to take you directly to content of interest.

The site is still a bit of a work in progress so the appearance and links may change a bit over the next few weeks.

Looking forward to seeing you there!

K

Posted in Uncategorized | Leave a comment

Training update 1..

Well I’ll obviously have to think of some more catchy titles for training related posts than 1..2..3.. but that will do for now. (ideas welcome!)

So I said I’d be posting these under the training page, however it seems WordPress doesn’t really like that idea and wants to just dump everything on the home page so we’ll just use category tags for now. There does appear to be come ways to change this by adding code to the pages / posts so I will probably look into this at some point, although it’s not exactly high on my agenda of interesting things to be getting on with!

Recent progress includes completing the foundation course at Crossfit Antaeus (http://crossfitantaeus.com/) and beginning to work more on cleans and false grip. False grip is a gymnastics inspired way of holding rings / the bar that makes the transition from chin up to dip more feasible in order to do muscle ups – they will be next on the list once I have mastered the grip.

Double unders continue to elude me in any real form – I can do one, then a few singles, then one and so on. I’ll no doubt get there soon.

Motivation is currently very high, and progress is in reality good although it is easy to get frustrated as I know where I want to get to and want to get there now. I have to keep reminding myself I have an 18 month to 2 year plan, not a 3 month plan!

In terms of gym, I can’t speak highly enough of Antaeus and Matt the head coach – he is an excellent coach and annoyingly good at all the technical movements.

This week has included, power and squat cleans, thrusters, skipping, rowing, kettle bells, push press, false grip chins, ring dips and squats amongst other things. In terms of strength I have dropped in a lot more low rep work so much of my squatting is 5 rep sets, and we also tend to do one or two 1 rep max sessions a week as well. This is great and a real departure from the approximately 10 reps per set for everything rut I was in before.

Tonights WOD was Elizabeth, first time I have done that one, and second set of cleans this week.. Took 11.32 which is pretty poor, but lots of room to improve once I get my clean act together. Luckily dips are easy so provided some respite! (Elizabeth = 21, 15, 9 reps of 60kg squat clean and ring dips. Shredded hands are an added bonus!)

I want to cover of diet in some detail as well, but I’m at the gym again in the morning so it’s time for bed!

Read this today which amused me;

http://crabcakesncrossfit.wordpress.com/2013/07/10/on-being-an-asshole/

Basically work hard and don’t be lazy :)

K

Posted in Crossfit | Tagged , , , | Leave a comment

Security Awareness Training – Worthwhile?

One of the topics that I sometimes think about is the value of security awareness training.

This tends to be a topic that many people in the security industry seem fairly passionate about, either for or against the value of it.
Vendors of software / programs such as Wombat, PhishMe, SANS etc. are all very pro user awareness training and regular programs to raise security awareness.
Conversely companies who sell products and not training are likely to strongly advise security budget is spent on tools rather than awareness training. To renforce this point at RSA Europe last year I actually asked a couple of senior RSA guys about the value of awareness training when they did a presentation around improving security and where to spend, and was told somewhat strongly that awareness training was basically a waste of time.

So the question is who is right, or do both sides have a fair point?

On the for side – how can users be expected to act securely and know how to act securely without some training? People need to learn and understand how to spot phishing emails, why it is bad to send anything non public externally without it being encrypted, why stronga and unique passwords should be used, how to spot social engineering etc. Security awareness training and campaigns can serve a dual purpose -
– Ensure users learn more about security for both their work and home IT / online lives
– Raise general awareness – a continual program of advice and varied messages keep general security and secure methods of working on peoples minds – this should not be a once a year process.
Any increase in security awareness and reduction in the attack surface that is the human user must be a good thing right?

On the against side – what is the most effective way to spend a limited security budget? Does spending budget on training offer the sam improvement in overall security as say adding a further layer to the defence in depth strategy or hiring extra dedicated IT security personel? Even with training a significant number of users will stil click the link in a phishing email or give out details they shouldn’t to a social engineer, so you still need all the other defences, both technical and personel even if an extensive security awareness program is undertaken.
– Users will always be a large security risk, so it’s best to treat them and their actions as untrusted and create a security posture accordingly.

So which side is right? I think to a large extent they both are. Depending on which report you read, something like 60-80% of all APT (Advanced Persistent Threat) attacks are initiated via social engineering – e.g. getting a user to do something for the attacker. So the most insidious attacks that are very difficult to detect and currently being used by the security industry as the driver for selling new security tools tend to start with the user. Then surely reducing the chances someone will succumb to social engineering much be a good thing? Yes you’ll never get to 100%, but then no actual security device ever detects or prevents 100% of attacks. So why do security tool vendors not like awareness training? Likely money and profits.

A balanced approach is key, understand the environment and threat landscape your company operates in and create a holistic security program encompassing the necessary tools, skilled security personal and user awareness training.

So, how can awareness training be made as effective as possible? Along with mixed and continuous messages and taking the time to make security part of the culture, the key thing is to get the message to people and make them want to take it on board. I think there are two components to make this successful;
– Fear – not with lies or exaggeration, but highlight real stories, as especially stories that people will relate to so think Playstation and Bank / online shopping hacks.
– Make it relevant – Link the secure ways of working to peoples home lives so highlight how they can be secure online, not fall for scams, use social sites as safely as possible, shop safely etc.

To conclude my opinion is that security awareness training does add real value and should be part of any security program. It does not however replace in anyway the need for a strong defence in depth strategy aligned to your business and threat landscape. What do you think?

K

Posted in Security | Tagged , , , , , , | Leave a comment

Denial of Service attacks part 2

My previous post on this topic covered the basics of DDoS in terms of what it is and the most commonly thought of attack type.
This post will cover some of the more interesting DDoS attacks that don’t rely just on the brute force approach of massive traffic volume to bring down a service, which attacks are also known as volumetric attacks.

The two categories of DDoS that will be covered in this post are known as RFC / Compliance Attacks and Compute Intensive Attacks.

RFC / Compliance Attacks

These typically work against vulnerabilities in either network protocols or web servers. Some examples of this form of attack are;
– Ping of Death; attacks and ICMP vulnerability
– Teardrop; works against TCP/IP fragmentation vulnerabilities in many implementations of the protocol suite
– Land; Spoof source address to send SYN packets to the host from it’s own IP address
– Apache Killer; TCP based attack against the Apache web server
– HashDoS (hash collision); attack that creates hashing collisions to DDoS various web and application servers

All of the above attacks exploit vulnerabilities in networking or application implementations and do not require a huge volume of traffic to potentially bring down a service.

As more detailed examples;
– Apache Killer; This relies on the fact that the byte range filter in some versions of the Apache web server allowed attackers to cause a DoS of the sever by sending it a header that covers multiple overlapping ranges.
– Hash DoS involves exploiting hash collisions to exhaust CPU resources. This is cause by the ability to force a large number of collisions via a single, multi parameter request.

Compute Intensive Attacks

These are attacks that typically exploit weaknesses in application workflows / process that allow certain interactions to use huge amounts of server resource or take inordinate amounts of time. Some examples of these are;
– HOIC; attacks by sending very Slow Gets, and Slow Posts
– Darkshell; send SYN, attacks HTTP idle timeout congestions
– Simple Slowloris; sends incomplete headers
– RUDY; Slow posts and long form field submissions
– Tor Hammer; sends very slow posts

These work my sending multiple slow or incomplete requests in parallel, this can quickly exhaust the web or application servers ability to service new requests without requiring a huge amount of bandwidth or resource from the attacker.

How have these evolved over the last few years?
– Initially stated with attacks like the original Slowloris that sends a very slow GET requests where the header is send extremely slowly such that it almost never actually completes. This has been very effective against the Apache web server
– Then there was the slow POST, as with the slow GET, this is a POST that is sent so slowly it almost never completes. This one is also affective against various flavours of IIS
– The most recent addition is the slow Read, where a large object is requested, then downloaded extremely slowly

These all enable the attacker to use up very many connections on the web or application server without the need for large bandwidth to be at their disposal.

There has been further tuning of these type of attacks to be specific against applications and databases that use similar techniques to make ‘legal’ requests of the system that lead to large resource requirements on the server. These can be targeted and fine tunes to cause maximum damage.

These types of attack are much more insidious than the volumetric attacks covered in the previous post as they need less resource at the attacker end so can be easier to launch. In addition the compute intensive attacks make use of allowable, normal application behaviour that is manipulated to cause a Dos condition. As such these attacks can be much harder to detect and block; at what point does a connection that is potentially just over a slow connection be identified as an attack?

This is where you have to start looking at advanced application layer defences that are tuned and configured specifically for the applications they are defending. This is another relatively large topic that I’ll likely cover in a later post, as we have now covered off the three usually identified categories of DDoS attack.

K

Posted in Security | Tagged , , , , , | Leave a comment

Training / Crossfit

Training / Crossfit.

Posted in Uncategorized | Leave a comment

Denial of Service Attacks part 1

Denial of Service attacks (DoS) and Distributed Denial of Service attacks have the same purpose; to make the service in question unavailable to those trying to make use of it.

The type of attack most commonly associated with DoS / DDoS is that of bandwidth or resource exhaustion.  These are attacks where a malicious user or group sends a large enough volume of traffic to the service, usually a web site, such that it becomes unavailable to legitimate users.  These attacks are based on simple math, if a web service has the capacity to service 2Gb per second, and an attacker can consistently send greater than 2Gb per second then they can likely make the service unavailable to legitimate users (anti DoS measures not withstanding).  This also works in terms of server resource, if an attacker can send enough requests to overload the servers hosting a service they can make the service unavailable to legitimate users.

At its simplest, this type of attack originates from a collection of machines, likely a bot-net, all sending requests to a web service until the bandwidth that service has available is exhausted.

This type of attack has historically been very successful in taking down web sites / services for periods of time.  It is however an attack that has well defined methods of defending against and many vendors offer services to protect against it.  These usually take the form of high bandwidth ‘cleaning centres’ or ‘scrubbing centres’ that monitor traffic going to through them to their customers.  These employ various trafic analysis techniques and can block / clean very large volumes of traffic while still sending legitimate traffic onto the service that is under attack.

This type of attack is made considerably worse by the ability to amplify the attack such that a relatively small volume of source traffic can become a huge volume of traffic hitting the victim systems.  Examples of these amplification attacks are ‘Smurf’ and ‘DNS amplification’.  These attacks have received considerable press recently due to their successful and high impact use in things such as the Spamhaus attack;

http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/

This was billed as the ‘biggest DDoS attack in history’.

A good overview of DNS amplification attacks can be found here;

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

The success of these attacks highlights the need to ensure that all internet connected routers and DNS servers are correctly and securely configured.  Most (possibly all) of the amplification attacks rely on address source spoofing – they spoof the IP address of the victim systems as the source of the initial request so that the amplified replies go to this address, not the attackers.  I find it a shame that these types of attacks that rely on source address spoofing could largely be eliminated if devices were configured according to RFC 2267, published in 1998!

http://www.ietf.org/rfc/rfc2267.txt

However, while these attacks are both common and insidious, they are the most simple form of DoS/DDoS attack.  They are also the most simple to defend against for all but the most massive attacks.

So that briefly covers the most commonly thought of Denial of Service attacks.  The next post will go into more details around the much more interesting, to me anyway, DoS attacks that work by attacking issues in TCP/IP stacks, and web server functionality etc.

K

Posted in Security | Tagged , , , , , , , | Leave a comment

RSA’s First UK Data Security Summit – part 3: Defend with confidence against advanced threats

This talk covered three agenda items, with an obvious focus on RSA Security Analytics.

1. Why / how security investments need to shift

2. Building a SoC

3. Demo of the tool

Obviously I wont be capturing the Demo here, but below are my notes from this presentation;

Advanced threats are different…  Often following a similar set of steps;

- System intrusion – Attack begins – Cover-up discovery leap frog attacks – cover up complete, with the following characteristics;

  • Targeted
  • Stealthy
  • Interactive

How to defend;

  • decrease dwell time (time from successful breach until discovery)
  • speed response time (speed with which attacks are detected, and then remediated once discovered)

Relatively new attack discovered / named last year – ‘Waterholing’ – sit by the waterhole knowing prey will come to them – malicious users take over a site, knowing their targets are likely to visit it and trust it – then wait for them to arrive – malware etc. then delivered to users of the site.

Massive % of security spend currently on prevention, not detection..

71% of organisations have some sort of SoC (wider survey 66%)  most have plans to have one.  The question did cover from just some analysts who do investigations right through full on SoC capabilities.

SoC – level 1 adds, moves and changes, device health etc.

CIRC – manage security incidents, investigate suspicious behaviours, vulnerability analysis, threat management etc.

CIRC – even the specialists need to specialise!!

CIRCs can / should comprise the below 4 areas of responsibility.  Note, a person can have multiple roles, doesn’t need to be 4 people or more for smaller organisation1 – 4 suggested Tiers / areas of responsibility

  1. Front line – initial investigations, containment, triage, 24*7 etc
  2. Advanced tools, tactics and analysis – reverse engineering, host and network forensics, Cause and origin determination
  3. Analysis and tools support – Optimising the CIRC tools and processes; Integration, Content development, Reporting, Alert and Rule creation
  4. Cyber Threat Intelligence – understand the wider environment, analyse threat feeds, awareness of criminal / activist organisations etc.

EMC example – 1046 employees received a clear phishing email about fake wire transfers, 17 clicked on the link, 2 even clicked on the are you sure warning from the EMC gateway!  This sort of investigation should take minutes..  Does it for your organisation?

The maturity Journey – Control – Compliance – IT Risk – Business Risk

  • Your business needs to be moving from at least compliance to IT risk for levels 3 and 4 of the SoC to make sense.
  • Business, then IT risk SHOULD drive your security program and strategy.  Compliance is a byproduct of good security.
  • MSSP (Managed Security Service Provider)  – Make CIRC function more complete and affordable
    • What does it make sense to outsource from the CIRC functions?
      • Start with Tier 1, second most likely threat intelligence (as this can be somewhat stand alone, and an MSSP likely already has good contacts and threat intelligence they can share)
      • Tiers 3 and 4 can be, but these are harder and likely require in depth expertise and knowledge about the internal operation of the organisation.

To assist this organisations need;

  • Comprehensive visibility
    • view, collect and analyse everything
  • Agile analytics
    • efficient analysis and instigation of potential issues
  • Actionable intelligence
    • understand ‘normal’ aid identification and investigation of anomalies.  Make data machine readable
  • Optimised incident management

RSA Security Analytics is designed to meet these needs.  Well there had to be some product focus as it’s an RSA presentation..

My questions;

  • However, where does this fit into the overall business?
    • Can it be used by the wider business in order to offer a business wide solution to log management and analytics?

RSA response – Data is stored in Hadoop style storage so you can write tools to query it. But no there are no plans for them to provide any ops style dashboards and functionality that could be used by the wider IT team and the business.  For me this is a massive gap given the current market for log correlation and analysis type tools.  There is no way a business should want two of these solutions in place with logs shipped to both and all the associated licensing and management that goes with it.  Having two tools also leads to a potential situation where all logs may not get to the security tool and therefore you’ll miss potential threats.

So back to the talk;

RSA Security Analytics provides both a combination of both real time and longer term analytical abilities;

  • real time example – analysing data on the wire for attacks and suspicious behaviour
  • longer term – log on from two different locations – analyse distance between locations and time between logons 

Threat intelligence from feeds and incorporating business context. 

  • Look at all the data, use intelligence to narrow it down to provide a low number of real and useful alerts.

Security analytics demo;

  • Has full data set, can drill down to specific IP addresses, and the behaviour between it and others, identifies hacker tools etc.
  • Integrates with RSA threat feed etc.
  • Identifies high risk file types, windows cli commands etc.
  • Keeps suspicious IP address list from top suspicious IP list.
  • Can make network data back into the real data – e.g. can view emails as the email with cc etc, can view text files and images this looks a bit like man in the middle stuff – recompiles the actual conversation / traffic.
  • Currently a detective / investigative system.

5 take aways things you could do;

  1. Analyse current / goal security spend by prevention, detection and response.
  2. Honestly assess your organisations security maturity.
  3. Expand / build-out SoC/CIRC via on-premise or MSSP (or on premise MSSP).
  4. Invest in breach readiness processes.
  5. Evaluate your security tooling – is it too perimeter / signature based? Does it align with your security strategy and desired posture?

Overall this was a useful talk with quite a few good points and outside of the demo relatively little product and marketing talk.

I am however very disappointed that RSA are intent on keeping Security Analytics 100% focussed on security only.  It’s undoubtedly a good product in this space, but there are other products now that appear to offer similar levels of functionality in this space while also being genuinely good products across ops / application support / business users etc. and also being potentially more flexible and extensible.  Take a look at both Splunk and LogRythm.

K

Posted in Security | Tagged , , , , , | Leave a comment