If you’re getting a little tired of the debates surrounding the Cybersecurity issue, you’ll find the posts we selected for this week’s “Top NoVA Infosec Blog Posts” refreshing.

#3 – The Art of Persuasion: In his post “Recognizing False Arguments,” @electricfork outlines the familiar arguments that many of us hear when we try to convince our employers that a gaping vulnerability won’t just fix itself or go unnoticed by attackers. While employers tend to come up with all kinds of arguments—many of them ranging from slightly absurd to completely ridiculous—the reality is that we must be prepared to show our employers why vulnerabilities cannot remain unfixed. @electricfork does a great job of outlining basic responses to some of the most common arguments used against fixing vulnerabilities. You can check them out here.

#2 – What the Hex: For those of you who haven’t used a hex editor before, or are looking for a new one, you’re in luck. In their post “XVI32: Hex Editor of Champions,” @geminisecurity talks about hex editors (the XVI32 hex editor specifically), and why we should use them. Calling the hex editor “an essential tool for anyone in the computer security field,” @geminisecurity says that hex editors are especially good for looking at the nitty-gritty details of data. The XVI32 is no exception. Describing the XVI32 hex editor “a very robust, stable, and easy-to-use hex editor for Windows,” @geminisecurity says that some of its best features include a built-in scripting engine, bit manipulation capabilities, and numerous ways to interpret and display data. You can check out all the details here.

#1- Think Outside the Toolbox: The PaulDotCom post “Find Time to Put the Tools Away” opens with an interesting comparison of pen testing eerily resembling airport security. Both pen testers and TSA professionals are trained to look for very specific things, often overlooking other potential problems because they neglect to see the big picture. For example: Instead of looking for certain vulnerabilities like XSS, XSRF and SQLi, PaulDotCom encourages security professionals to look at how an application works instead of looking at the parts that make it work. He also gave one of the most profound pieces of advice that we’ve heard in awhile: “Trying to understand how something worked used to be the goal and definition of hacking.” And on that note, I hope that you’ll read the post yourself.

Don’t forget to follow me during the week @grecs to get more recommendations on the blog posts you should be reading.

o o o o o

Wanna hack your career?

DarkReading recently published an interesting article entitled “BT Study: Most Enterprises Expect to Get Hacked This Year.” I’d say that that’s a safe assumption, since in the case of most large organizations, their electronic footprint is everywhere.  When you pair that with unmanaged parts of an organization setting up servers and machines, accounting for all resources is practically impossible.

Interestingly enough however, many of the organizations quoted in the BT study expect that they are less likely to get hacked if they pen test. But unless you have unlimited resources and endless stretches of time, that conclusion is very wrong.

In reality, the amount of resources that most organizations have to dedicate to pen testing is limited. According to the DarkReading article, this happens for a variety of reasons; everything from upper management not understanding the importance of pen testing to organizations worrying that “the results of a pen test ‘could be embarrassing’” causes vulnerable systems to go untested. But no matter what the reason, the bottom line is that this issue is only going to become more prominent as the role of technology in organizations continues to expand.  

So, if there’s no avoiding the fact that we should expect to get hacked even if we pen test, what should we do? Easy: Find out what we can do to minimize the impact of compromises and continue to make sure we have a strong foundation to work on.

This idea goes back to one of the ongoing themes we have here on the site, which is getting back to basics and doing them well. Start out by identifying what you are trying to protect and work your way out—take a defense in-depth approach. Most organizations are looking to protect data, so that’s where we’ll start.

First, we need to determine the sensitivity of the data we are trying to protect. What would happen if a hacker, competitor, or nation-state was able to get to that information? Would lives be at stake? Would the loss of a competitive advantage result in losing a contract? How much would it cost to clean up after your customers’ credit card details were sold on the web?

Based on this data value analysis, say you come up with three sets of data: A, B, and C, with A being your crown jewels. Maybe it would make sense to store the A set in a segmented area of the network where you need to log into a special terminal for access. Perhaps the B set could exist on your organization’s intranet protected by traditional OS and network access controls. The C set may not be too sensitive, so maybe it’s available in public areas on your intranet.

In this instance, an attacker may be able to get through your first line of defense and into your intranet. Any information stolen there wouldn’t be too sensitive, so the effect of compromised data would be minimized. Maybe the hacker is very skilled and is able to bruteforce someone’s password over a period of several weeks. They’ve broken through you second layer of defense and now have access to the B set of data. Although this data is more sensitive, the required skills and time commitment necessary to gain access to this information may minimize the compromise if the data is time sensitive. Finally, you have the
A data set. In this case, the attacker would not only have had to access the intranet and compromised someone’s account, but would have also had to physically gain access to a secured terminal. The hope is that at this point, the attacker will give up and focus on a less secured target.

You can make this scenario a lot more complex, but this example illustrates the basic concept of assuming you are going to get hacked and using defense in-depth to segment your network and employ protections relative to the value of the compartmentalized data.

Besides disconnecting your organization’s network from the Internet completely, this is the best that I could come up with. What are your thoughts on how we can minimize the effects of getting hacked? Comment below or send me a tweet @grecs.

o     o     o     o     o

One of the best ways to get back to basics is to have a good foundation. We’ve put together a list of useful books that will help you get on track and do the basics well.  

In the past few days I’ve come across of two articles that, according to their titles, seem to imply that the problem of software security is practically solved. In the article ”Software [In]security: Software Security Comes of Age,” Gary McGraw discusses the numbers and stats behind general software security, the increased use of code scanning tools, and how pen testing is the primary tool used for baselining system security.

A few days after reading the McGraw article, I read an article by Elinor Mills of CNET that addressed this topic further. In her article, “Secure software? Experts Say It’s No Longer A Pipedream,” Mills interviews several software security experts that not-so-subtly imply that we are almost to the point of ‘solving’ the software security problem.

While both pieces are well written and cover the topic of software security in detail, I can’t help but feel cautionary when it comes to their titles and their optimism. Both article titles seem to imply that we are on the cusp of solving the problem of software security. (Which, by and large, we’re not.)

When you read the articles in more detail however, it seems that they should have been titled “Software Security Better But Still Has A Long Way to Go.” (Sound familiar?) Because in spite of their cheery titles and overall optimist outlook on software security, both articles note that developing software in a secure manner is still a very difficult task.

And, to be completely honest, I personally feel that creating totally secure software isn’t only difficult, but impossible.

Because no matter how good we get at creating secure software, we’re human. Humans aren’t perfect, and the things we create aren’t perfect. Even if we properly trained every person that uses or develops software, created and enforced clear policies and procedures that would prevent common software security problems, and developed advanced static and dynamic code scanning tools, we are all human and therefore fallible.

We all make mistakes—especially under the time constraints that many vendors put on us to get products and features out the door on time. And while developers are making great improvements when it comes to coding software securely, their primary focus is still on the functionality of a product; security is an afterthought and often not addressed due to the pressures of limited time and resources.

Overall, we have made great strides over the past decade, and these advancements will definitely help lower our risk profiles. However, I feel software security is still in its adolescent phase and that we have much further to go. As eiverson—a commenter on Mills’ CNET article—noted, “[w]e’re making progress on treating cancer too. But people die from it every day. It’ll take years for information security practices for software development to give us peace of mind.”

###

Have you heard? NovaInfosecPortal has partnered with SANS to get you the training you need while helping NovaInfosecPortal at the same time. If you haven’t already, take a moment to visit our Help Us Help You page to learn about additional ways that you can help us help you.

It was a busy week for local NoVA infosec bloggers, with posts discussing everything from pen testing to VMWare, as well as an interesting v-blog post about how you can take the initiative to anoint yourself an expert.

And for those of you who like a little trivia to start your day with, do you know which local NoVA infosec blog made the list of the “5 Best Technical Security Blogs” for the RSA Social Security Awards? We’ll give you a hint: It’s one of the blogs featured this week.

#3 – Not Just a Waste of Time: Spurred to action by a thread on ethicalhacker.net, @carnal0wnage wanted to see if JavaScript could be used, as he puts it, to “screw with analysts looking at the malicious sites and js.” While he felt that the question was entirely pointless from a malware perspective, @carnal0wnage took it more as a challenge, discovering that you can use JavaScript to determine on a basic level whether or not you’re in a vm. To read the full post along with the scripts he used, click here. 

#2 – Be the Expert: DojoSec’s Marcus J. Carey has good news for anyone who wants to be an expert but doesn’t know how: You can anoint yourself an expert. In an excellent v-blog post, Carey tells viewers how to take the initiative to be experts in what they know. It’s an encouraging watch—especially in light of the current economy—because Carey puts the importance of certifications and experience on more of an equal level. To watch the post, click here.      

#1 – The Trouble With Testing: In his blog post “To Pen Test or Not to Pen Test … That is the Question,” local infosec blogger @cyberhiker addresses the advantages and disadvantages of pen testing. Our favorite part? When he lists the common excuses that companies make against using pen testing, such as “It’s Expensive,” “They Could Break Our Shh… Stuff,” and “Our Coders / Developers Are Awesome.” @cyberhiker counters each one of the excuses, saying that while pen testing is expensive, so is losing data, and that even the most awesome coders or developers can make mistakes. All in all, @cyberhiker makes a good case for why companies should make pen testing a regular part of their security regimen, saying that it should be done annually if not more frequently. You can read the full blog post here.

So did you guess which blog made the “5 Best Technical Security Blogs” for the RSA Social Security Awards? It was @carnal0wnage’s blog. If you haven’t already, take a moment to congratulate him.

###

We love being part of the local security community, and we would for you to be involved as well. There are two ways that you can get involved here at NovaInfosecPortal: You can purchase a subscription to the site, or you can be a guest poster. If you are interested in being a guest poster for NovaInfosecPortal, please drop us a line and we’d love to talk to you. 

Update: The OWASP – VA Local Chapter infosec meetup taking place tomorrow has two newly added speakers for the panel portion of the meetup: @wadew and Nate Miller of Stratum Security.

For more information about the OWASP – VA Local Chapter, see its description in our Infosec Meetups section, or view our original post about the meetup.

Also, don’t forget to view our Calendar for a list of similar infosec events in and around the NoVA area.

###

Would you like us to keep these kinds of posts coming? Then help us help you by contributing to the improvements we’re trying to make to the site.

After a brief break in March, the OWASP – VA Local Chapter is back this month with a meetup and corresponding panel discussion on Wednesday, April 8th.

The panel discussion will be lead by NoVA’s own Wade Woolwine, and the 50-minute presentation will be given by Jeremiah Grossman of Whitehat Security.

Grossman will open the meetup with his talk, “How Penetration Testing Has Matured—A Modern Look,” and Woolwine will start his panel discussion—“Critical Answers to How Your Organization Should Use Penetration Testing”—shortly after Grossman finishes his presentation.

There’s some pretty interesting developments happening with pen testing right now, so if that’s your area of expertise, or something you’d like to learn more about, you will reap huge benefits from attending this meetup.

Want additional information about this meetup? Continue reading below.

• Who: Wade Woolwine of the Wade Woolwine Blog and Jeremiah Grossman of Whitehat Security
• What: “How Penetration Testing Has Matured—A Modern Look” by Grossman, and “Critical Answers to How Your Organization Should Use Penetration Testing” by Woolwine
• When: 04-09, 6:00 – 9:00 PM EST
• Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on the OWASP – VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

 ###

While it’s not pen testing software, we’d like to think that it’s just as valuable: A subscription to NovaInfosecPortal.
Why not view our subscription page to find out more about how you can help us help you?