Thursday, 13 September 2012

UK Government release 10 Steps to Cyber Security advice sheet

The UK government via CESG, the Information Security Arm of GCHQ, have recently released a document entitled “10 Steps to Cyber Security”. The full document is available at

The 10 areas of focus within the document are given two pages each for further review and are as follows:

Home and Mobile Working
User Education and Awareness
Incident Management
Information Risk Management Regime
Managing User Privileges
Removable Media Controls
Secure Configuration
Malware Protection
Network Security

Overall, it is very important that the government are being proactive in highlighting the online threat landscape for businesses and references to control frameworks such as ISO 27000 are welcome. On the other hand, the fact that 3rd party service providers and [often exploited] online interfaces are not referenced appears to be a massive oversight. Unfortunately, many of the control frameworks are not easily found online. For example, the controls referenced are familiar from the PCI DSS, ISO 27000, the Code of Connection, Public Sector Network and IL3 requirements. Not all of these standards are freely distributed.

Sources of training and other informational material for the above would also be of enormous value to those perusing the document as otherwise, it appears to come to a ‘dead end’. Use of SANS, NIST and CIS for secure systems baselines and the ‘Think Privacy’ campaign for user awareness are examples of excellent resources. Achieving other controls through the implementation of sound and considered policies for users, passwords and audit logs can also use the SANS, NIST and CIS documents as well as Microsoft and other online resources.

Tuesday, 4 September 2012

Deep INTEL Day two

Another good day at DeepINTEL, combination of talks on APTs, security intelligence gathering, social media and evasion techniques.

So if I had to pick my two favourites (other than yours finux!) from day 2 it would be

Massive Storage - Richard Perlotto (of Shadow Server fame)

Richard's talk had tech-awesomeness stamped right through it.  The Shadow Server Foundation does some really cool analysis and intelligence gathering.  Have a look at their site to get a good idea, I'll never do it justice here.  Richard went into the details on how they handle the sheer volume of data that they have to work with.  We're talking petabyte storage requirements without EVAs or SANs, relational databases are out,  Hadoop HDFS and Casandra are in, and some custom software to do even more index and data management.  Without doubt my favourite slide was the server density pic, where they show the servers are mounted vertically rather than horizontally as this allows more to be squeezed into a rack.  The shelves were straining and lights were flashing.  Couldn't look at it without wanting one!

Facebook and you - Jonathon Deutsch

Here's Johnny!  Nicely delivered presentation showing how intelligence gathering can be done by the various government agencies by crawling through Facebook profiles and the default settings for friend lists.  The concept of Facebook-hardening was interesting although quite counter to what facebook is all about.  Some good examples of where certain nation states had crafted fake profiles to try to get intel on military personnel.

The day has been stacked with discussion on mass malware, advanced persistent threats, and how to respond to them.  Add in some antivirus evasion and DNS tunnelling examples and the audience were well engaged.

Hope I get to speak at a Deepsec event again, the guys run a good con.  Everything ran really smoothly, scheduling was kept on top of and the venue was top notch.  Highly recommended.

Deep INTEL - Day one

The guys from DeepSec have done a great job with the DeepINTEL conference.  Well organised, great location and a good speaker line up.  They kindly let me talk about the importance of breach disclosure, so I gave an updated version of the Athcon talk incorporating some of the feedback and post con chatter.

Quick summary of my favourite presentations from day one.

Wargames in the fifth domain - Karin Kosina

Karin gave a really great presentation on the concept and notions of "cyberwar" or what it isn't really.  When the slides go out I highly recommend a read through them as it was well delivered and referenced.  Covering the various international treaties and conventions on what actually constitutes war and the acts of violence that constitute force.

I think the biggest take away point for me from Karin's talk was that most of the rhetoric on cyber war actually describes electronic espionage (I'm going to stop saying cyber now!). Very few instances of damage have occurred that would constitute violence in order for the act to be considered war.

Hopefully I'll manage to get her to co-author the piece I'm writing on collateral damage from electronic espionage

Sexy Defence - Maximising the home field advantage - Iftach Ian Amit

Some really interesting content from Ian on establishing a culture of counter intelligence and investigating what the legal extent of certain counter ops are, as well as the benefits of sensible risk based pen-testing.  Good demo on poisoning malware to give it a signature that is easily detectable, that helps verify that your source of intelligence on threats is accurate, and also enables it to be blocked with a custom IDS signature.  I think that the Bsides Dallas crew might have pinched Ian's subject as the theme for their CFP is just called "sexy defence"!

Picking two favourites from the day two line up could be tricky as there does appear to be some good subjects on the roster.