Community SANS Event in Dublin

Bob McCardle has made me aware of these upcoming community SANS events to be held in Dublin this coming September.  Bob and Owen are both very well regarded for their expertise and I highly recommend attending any, or both, of these courses. 

Bob also kindly offered a discount code for those of you wishing to attend.  Contact me on brian dot honan at bhconsulting dot ie and I will pass the code along to you.

The two upcoming coureses are;

  •  20-25 September for SEC504: Hacker Techniques, Exploits & Incident Handling
  • 27 September – 2 October for SEC542: Web App Penetration Testing and Ethical Hacking.

SEC504: Hacker Techniques, Exploits & Incident Handling

20-25 September

Instructor: Robert McArdle

Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

SEC542: Web App Penetration Testing & Ethical Hacking

27 September – 2 October

Instructor: Owen Connolly

In this intermediate to advanced level class, you will learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do. Through detailed, hands-on exercises and training from an experienced instructor you will learn the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.

For more details and to register please visit: http://www.sans.org/info/60323

About the Community SANS EMEA Program -

The Community SANS format in EMEA (Europe, Middle East and Africa Region) offers the most popular SANS courses in your local community and in your local language. The classroom setting is small with fewer than 25 students. The instructors are pulled from the best of the local mentor program or qualified security experts who have passed SANS rigorous screening process. The course material is delivered over consecutive days, and the course content is the same as ones provided at a larger training event. In addition to the excellent courseware, not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.

The Value of Security Certifications

graduationWithin the information security community one of the most debated topics is that of security certifications.  I previously blogged about certifications and gave my own views.   The mailing list of the Irish OWASP Chapter also had a recent discussion centred around the topic.   Many asked the question what value is a certification and which ones should I get?  What about CPEs and do they really add any value?

Richard Nealon, a well respected member of the Irish infosec community who has been involved as a volunteer with (ISC)2 in various roles over the past 10 years and was to be honoured with the COSAC award in 2003, gave one of the most insightful contributions to this debate that I have read in a long time.  I talked to Richard and he has agreed to allow me to publish his thoughts here,

As a former member of (ISC)2 Board of Directors, and active volunteer, you’ll not be surprised to find that I have stong opinions on the topic.
You might be surprised though, to find that they’re not too far from all of the points raised so far.

First point: There are three types of certification available in the market at the moment: 

  1.  Technical certification – SANS, Vendor related (Microsoft, Cisco, Symantec, etc), EC Technical Hacker, etc
  2.  Generic certifications – ISC2, ISACA 
  3. Academic certifications – MSc, Dip in Forensics, etc. 

Each of these have their merits & demerits, but I think that we have to look at the area of certification (and what it offers each of us) holistically rather than focusing on one particular cert.

Which one of these types is best?  To use the great SOx answer – “It depends”
It depends greatly on what your chosen/planned career path is, the security of your job, your expectations for the future…..

I’d argue that any certification doesn’t prove competence in any manner. It only goes to show that an individual has been successful in achieving a certain score at a point in time.

Nevertheless, in so many cases, recruiting employers will list a specific certification (or range of certs) to set a baseline and discourage what they consider to be the timewasters (those going for the job despite having no experience). In most cases, for security management roles, CISSP or CISA (CISM is the more appropriate ISACA cert but simply isn’t as well known) are used as that baseline. That’s just the way it is – (ISC)2 has been around over 20 years with a membership of about 60k and ISACA even longer. The reason that these specific baselines are used, is only because there’s nothing better on offer that’s as well known in the marketplace.

Now – let me come back to an important point in the last paragraph. You’ll notice that I mentioned “for security management roles”.  The baseline certs being looked for should be much different if the organisation is recruiting a DBA, Firewall admin, RACF support…. but unfortunately they nearly always use one-size-fits-all (primarily because they don’t really understand what “security do”).


I was speaking with a chap last week who’s a graduate of the MSs programme in Information Security from Royal Holloway.  The job he was interviewing for was to independently review and report on a PKI implementation.  Despite having implemented and managed a large PKI environment in the past, and having the MSc, the employer rejected his tender because he didn’t meet their certification criteria (i.e. didn’t currently hold CISSP or CISA).

Bottom line:
If you’re looking to set your career as a security techie – go for, and maintain technical certifications If you’re looking to set your career in security management – get at least one of the generic certifications and maintain it.  If you want to educate yourself – go off and get an academic certification If you’re never going to have to interview again (internally or externally) – save your money and let your certifications lapse

Them’s the options!  Take your pick.

CPEs first – Many of my CPEs are maintained by attending the monthly e-symposia from (ISC)2 and ISACA.  I normally access them via the archive after a couple of months and get them done in one large traunch.  Between the two, I can claim about 60 CPE hours a year if I’m bothered (3 CPEs per symposia, by about 10 instances from each organisation per year).  Past that – every hour that you receive a vendor presentation or demo; every exam question that you write and submit; every time you read the newsletter and answer the Quiz; every hour that you volunteer your services on a committee or board; ….  There are so many ways to earn CPEs free of charge, that only require the time and effort from each of us.  First port of call for quick & easy (and free) CPEs https://www.isc2.org/e-symposium/default.aspx

AMFs – so what do we get for our $65?  We get free seminars, we get reductions on a huge amount of vendor training, we get free e-symosia monthly, we get a quarterly newsletter, we get deliverables (e.g. recent awareness material submitted by members),  discounts off the academic journal, online fora, and a host of other “stuff”.   Have a look at
https://www.isc2.org/member-benefits.aspx .  Most of all, we get the advantage of putting CISSP after our name. This identifies us as professionals (this is what we do for a living), as distinct from amateurs. It doesn’t necessarily make us good professionals  – as MD doesn’t necessarily guarantee good doctors, but would you want an amateur treating you for a medical complaint?

In terms of competing certification bodies, some organisations certainly do provide more content than (ISC)2 – but they also charge significantly higher AMFs!
Pertinent question being: What offers best value for money?

On a personal note – I’m happy to pass back any constructive suggestions from the group to their exec management as to what (ISC)2 should be doing to make their offering more valuable to their members. Please don’t just tell me that they don’t offer enough content, opportunity, support…
Rather, outline exactly what you think that they’re currently missing e.g. local chapters, free seminars, technical guidelines, areas of the CBK that should be covered, new certs

I think you will agree Richard has made some vary good points.  So if you have any contructive suggestions for Richard please put them in the comments below and I will pass them on.

If you are looking for more information on what certification programmes are available then here is a list I compiled previously.  Finally it is interesting to note in today’s SANs NewsBites a survey conducted by the Foote Partners highlights there is a high demand for certified security professionals.  Interestingly enough it is the technical courses provided by SANS that are most in demand with the  GIAC Certified Incident Handler being the most sought after.

Plane Security

plane

At this stage you no doubt have heard about the miraculous emergency landing of the US Airways Flight 1549 in New York’s Hudson river.  Thanks to the skill, experience and bravery of the pilot and the crew, all 155 people on board managed to get out of the plane safely with relatively few injuries. 

So what has this got to do with Information Security I hear you ask?  As the story was breaking and I read the updates on the web and watched breaking news coverage on various TV channels, I was taken aback at how the pilot managed to do such a fantastic job.  I then started to think that if we in the Information Security industry adopted the disciplines used in the aviation industry would we would more secure systems?

When you look at is closely you can see that there are many similarities between both the Information Security and the aviation industries;

  • Both are high tech by their nature.
  • The users of each industry understand very little of how the technology works, they just want it to do what it is supposed to do without putting them in danger.
  • While both industries use automation extensively, they still rely heavily on human intervention and guidance to ensure everything works as it should.
  • When there is a failure it can have significant impact.  Although aviation failures are by their nature more serious as they can result in human casualties.
  • Both industries attract a high number of ex-military personnel.  The pilot of Flight 1549 is an ex-fighter pilot and you cannot go to an information security conference without coming across ex-military or law enforcement personnel.

But yet with all these similarities, within Information Security we tend to see a much higher failure rate.  So I began to think why this should be.  The answer is really quite simple, discipline. 

The aviation industry appears to me to be much more disciplined in every aspect.  Within Information Security we have the mantra that security is successful only if the blessed trinity of People, Process and Technology are properly integrated.  So lets take a closer look at each of the elements in that trinity.

Technology

Aeroplanes themselves are highly designed with a lot of fail safe systems put into them.  Not only that but they are regularly and rigorously maintained in line with recognised good practises.  New models of airplanes are not rushed off the production line with known issues outstanding.  Would you get on a plane that was pre-Service Pack 1? 

Yet within IT we push new applications and systems into production environments without them being adequately tested and in many cases knowing that there are bugs in the systems.  The recent SANS/MITRE list of Top 25 Most Dangerous Programming Errors highlights this approach.

Airplanes are maintained on a very regular basis during which the whole plane undergoes stringent safety testing.  Changes to an airplane have to be made in accordance with regulations and strict safety guidelines.  Contrast that to how IT systems are maintained or indeed how changes to the IT environment are managed.  Change Management has one of the biggest return for your money when it comes to ensuring the availability and security of your systems, yet very few organisations seem to do this properly If at all.

People

Every member of the crew of an airplane must undergo strict training regimes before they are allowed onboard.  That training has to be regularly updated and retested.  What is more, the training is specific to the task that each crew member does.  A flight attendant for example is not qualified to fly a plane; pilots have to be specifically trained on the type of plane they will be flying and gain hours of flight experience before they are allowed to take to the skies.

Yet within IT we do not have the same rigueur when it comes to those in charge of our critical systems.  It is not uncommon for people to be in charge of systems that they have not received any formal training on, or indeed to be working (read that as winging it) with one vendor’s technology having been trained on that of a completely different vendor.

Each plane crew member is also trained in how to react in an emergency and can do so in an efficient and professional manner.  Captain Chesley Sullenberger had the training and experience to react to the emergency on the plane and land it in the Hudson, whereby his crew had the training to safely evacuate the passengers.  Captain Sullenberger then checked the plane twice himself to check it was clear of passengers and crew before getting off himself.

With regards to information security, many organisations do not have an incident response plan that is properly documented,  regularly tested and with all staff properly trained in what they should do in the event of an incident.  Too many times responses to incidents are haphazard without any clear plan or roles and responsibilities identified.  If your company were to suffer as catastrophic event as that experienced by Fight 1549 would your team have the processes, procedures and training to ensure the event had as minimal impact on your systems?

When looking at the users of both industries it appears to me that the aviation industry once again pips information security when it comes to security awareness.  Most passengers are aware of what they are allowed to bring onto an airplane and will dutifully herd themselves like sheep as they wind their way past airport security to display their transparent plastic bag of small liquid containers.  Passengers also know not to let others take their baggage or bring someone else’s bags onto the plane.  In addition, every time a passenger gets on an airplane they are subjected to compulsory security awareness, i.e. flight safety, lecture, which in turn is backed up by easy to understand awareness material located in each seat.

Ever since the events of 9/11, passengers are more likely to report suspicious behaviour of a fellow passenger in case they are a terrorist and indeed will probably tackle someone who is behaving outside the acceptable norms. 

Contrast the passenger to the average IT user.  How often do your IT users get regular security awareness lectures?  How clear are your policies and procedures that people should follow?  Are they as easily understood as the not taking liquids onto a plane rule or the airline safety leaflet?  What are you doing to ensure users know not to click on attachments or links in emails or insert that USB or CD they found into their computer?  How confident are you that your users know not to share their login details with others or how to recognise suspicious behaviour that may indicate their systems are infected or hacked.

Processes

Before take-off every person connected with preparing the plane before, during and after the flight has to complete a set of predefined checklists.  The ground crew ensure the plane is properly set up, the pilot logs his flight plan, checks his instruments and the plane, while the cabin crew ensures all equipment within the cabin is functioning as it should.  Everybody has to go through these checklists before the plane is allowed to take off.  Once the plane is in the air the systems are continuously monitored with everything recorded and logged to the airplane’s flight recorder, commonly known as the Black Box.  On the ground the airplane is also constantly monitored by air traffic control to ensure it reaches its destination safely.

Although the airline industry is very high tech, it still relies heavily on humans to check and double check everything to minimise the risk of anything going wrong.  It seems to me that the airline industry views technology as merely the tools of the trade but it is the human element that ensures everything runs smoothly.

The information security industry is also high tech but seems to rely much more on the technology element and overlooks the human.  Shinier tools and vendor promises of silver bullet technology seem to be what we rely on.  Checklists and formal procedures are more the exception than the norm. 

Another area we are very weak on in the information security area is monitoring.  During a flight an airplane is constantly monitored, both by the onboard crew and air traffic control.  Feedback from these systems is taken into account and adjustments made where necessary.  Monitoring within the information security world is yet another area that many of us do not utilise properly.  While we have excellent logging facilities available in our systems to record everything that happens in our environments they are very rarely turned on, and if they are, it always appears that we do not record the right information we need.  Key metrics to help the business and management make necessary decisions are not measured.  System logs are not properly monitored to create alerts in the event of suspicious activity being detected.  How often have we seen IDS systems implemented and then turned off because of lack of proper configuration?  How often do we hear about breaches that have occurred where if the affected company had been monitoring their systems properly they would have detected the attack much earlier?

Time for Some Discipline

It has taken the airline industry a long time to get to where it is today.  Many hard lessons had to be learned from serious disasters to ensure they would not happen again.  But thanks to those efforts air travel is now the safest form of travel.  To get to this level required discipline, and lots of it.  So I think it is time that we as a profession and an industry raise the bar and instil a lot more discipline into how we do things.

We need to ensure that everyone, from developers, to infrastructure management, to information security professionals, to senior management and of course the users are more disciplined in what we do and how we approach protecting our data.  By disciplining ourselves to do some of the basic chores there are many quick wins that we can put in place that will raise the bar. 

  • Discipline yourself to review the checklists that you currently have and ensure that they cover all the key elements that should be checked daily, weekly, monthly, quarterly and yearly.  Once you have those checklists in place make sure the discipline is there to ensure they are completed when they should. 
  • With regards to information security policies you need to have the discipline to regularly review them, constantly monitor compliance with the policies and to deal with any non-compliance in a fair and consistent manner. 
  • Developers should have the discipline in place to check their code for common coding errors that could lead a security breach by reviewing the excellent information provided by OWASP and SANS. 
  • You should ensure that those managing the network infrastructure are disciplined enough to regularly monitor key systems and ensure that everything is patched and configured in a secure manner.
  • Instill the discipline in your organisation to develop and implement, or review existing, change management and incident response processes and procedures.  Once these are in place make sure the discipline is there to regular review and test them to ensure they operate as should and always look for ways to improve.

Discipline is a small word but if used correctly you can become a Captain Chesley Sullenberger of information security.

Managing Information Security with ISO 27001

course.gifIn partnership with the Centre for Software Engineering we are running a two day course on “Managing Information Security with the ISO 27001 Information Security Standard”.  The course is scheduled to run on the 20th and 21st of October 2008 and you can book your place on the course by contacting the Centre for Software Engineering.

The “Managing Information Security with the ISO 27001 Information Security Standard” course provides a framework that will enable those responsible for securing sensitive information assets using a quality based approach to identify key assets and how best to manage the associate threats and risks.The subjects covered include:  

 

  • Overview of information security
  • Introduction to the ISO 27001 Information Security Standard
  • Identifying key information assets
  • Identifying risks
  • Strategies for mitigating and managing risk
  • Implementing appropriate security controls
  • Monitoring the effectiveness of security controls.

The course materials are supported with a number of practical exercises, tips and case studies to illustrate and give experience in applying the techniques described.  More details of the course are available from the Centre for Software Engineering

 

Upcoming SANS WhatWorks Event

SANS are running a WhatWorks in Penetration Testing & Ethical Hacking Summit on September 17th 2008 at the Le Meridien Piccadilly in London.  The summit is a one day indepth look at the latest techniques and best practises you should employ to run penetration tests against your networks.  So whether you are responsible for securing your own network or the networks of clients this is an excellent opportunity for you to enhance your knowledgebase.  YOu can register for the course here.

Managing Information Security With ISO 27001

course.gifIn partnership with the Centre for Software Engineering we are running a two day course on “Managing Information Security with the ISO 27001 Information Security Standard”.  The course is scheduled to run on the 17th and 18th of June 2008 and you can book your place on the course by contacting the Centre for Software Engineering.


The “Managing Information Security with the ISO 27001 Information Security Standard” course provides a framework that will enable those responsible for securing sensitive information assets using a quality based approach to identify key assets and how best to manage the associate threats and risks.The subjects covered include:  

  • Overview of information security
  • Introduction to the ISO 27001 Information Security Standard The course materials are supported with a number of practical exercises, tips and case studies to illustrate and give experience in applying the techniques described.  More details of the course are available from the Centre for Software Engineering
  • Identifying key information assets
  • Identifying risks
  • Strategies for mitigating and managing risk
  • Implementing appropriate security controls
  • Monitoring the effectiveness of security controls.