|
|
|
|
|
|
|
|
|
|
|
|
|
my rating |
|
|
|
|
|
|
|
|
|
|
||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0124202314
| 9780124202313
| 0124202314
| 4.30
| 101
| Jan 01, 2014
| Sep 05, 2014
|
it was amazing
|
This is the book that all cybersecurity professionals should read. Our profession is categorically bad at assessing risk. Jack and Jack describe the m
This is the book that all cybersecurity professionals should read. Our profession is categorically bad at assessing risk. Jack and Jack describe the model, FAIR, that will make your life easier. This is the future. It is so important that the book was inducted into the Cybersecurity Canon in April 2016.
...more
|
Notes are private!
|
1
|
Dec 28, 2015
|
Apr 10, 2016
|
Dec 23, 2015
|
Paperback
| |||||||||||||||
0385539002
| 9780385539005
| 0385539002
| 3.93
| 4,316
| Feb 24, 2015
| Feb 24, 2015
|
None
|
Notes are private!
|
0
|
not set
|
not set
|
Jul 27, 2015
|
Hardcover
| ||||||||||||||||
159327288X
| 9781593272883
| 159327288X
| 4.06
| 853
| Jul 15, 2011
| Jul 15, 2011
|
None
|
Notes are private!
|
0
|
not set
|
not set
|
Feb 17, 2015
|
Paperback
| ||||||||||||||||
0976917300
| 0976917300
| 2.60
| 5
| 2005
| Jun 01, 2005
|
really liked it
|
The roles of the chief information officer (CIO), the chief security officer (CSO), and the chief information security officer (CISO) in the modern en
The roles of the chief information officer (CIO), the chief security officer (CSO), and the chief information security officer (CISO) in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function of an organization. In other words, the CISO works for the CIO. But Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how the industry should views these topics. Our industry will be slow to adopt these new ideas, but with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to start making a change. Reviewing Baich’s book is a good place to start. It is cyber-security-canon worthy, and you should have read it by now. See the full review at the Cybersecurity Canon Website.
...more
|
Notes are private!
|
1
|
not set
|
not set
|
Jan 17, 2015
|
Paperback
| ||||||||||||||||
0544251792
| 9780544251793
| 0544251792
| 3.77
| 1,233
| Nov 06, 2014
| Nov 11, 2014
|
None
|
Notes are private!
|
0
|
not set
|
not set
|
Nov 22, 2014
|
Hardcover
| ||||||||||||||||
1501210408
| 9781501210402
| 1501210408
| unknown
| 3.75
| 2,672
| Sep 01, 2014
| Nov 18, 2014
|
really liked it
|
Executive Summary In Spam Nation, Brian Krebs covers a key portion of our cyber security and cyber crime history: 2007–2013, that period when we starte Executive Summary In Spam Nation, Brian Krebs covers a key portion of our cyber security and cyber crime history: 2007–2013, that period when we started to learn about the Russian Business Network, bulletproof-hosting providers, fast-flux obfuscation, criminal best business practices, underground cyber crime forums, and strange-sounding botnet names like Conficker, Rustock, Storm, and Waledac. This period just happens to coincide with Krebs’s rise in popularity as one of the leading cyber security journalists in the industry. His relationship with two competitive pharmaceutical spammers—Pavel Vrublevsky and Dimitry Nechvolod—is a big bag of crazy and is the key storyline throughout the book. The competition between Vrublevsky and Nechvolod escalated into something that Krebs calls the Pharma Wars and Krebs gives us a bird’s-eye view into the details of that escalation that eventually destroyed both men and the industry they helped to create. Krebs’s weird symbiotic relationship with Vrublevsky is worth the read by itself. Spam Nation is definitely a cyber security canon candidate, and you should have read this by now. Introduction I have been a fan of Brian Krebs for many years. His blog, Krebs on Security, has been a mainstay of my recurring reading list since he started it in 2010 and even before when he was writing for The Washington Post. Since he struck out on his own, he has carved out a new kind of journalism that many reporters are watching to see how they might duplicate it themselves as journalism transitions from dead-tree printing to new media. Krebs’s beat is cyber security, and he is the leading journalistic authority on the underbelly of cyber crime. Spam Nation is a retelling— with more detail and more color—of some of the stories he covered from 2007 until about 2013 on a very specific sub-element of the cyber crime industry called pharmaceutical spam. Many security practitioners will hear the phrase “pharmaceutical spam” and immediately start to nod off. Of all the problems they encounter on a daily basis, pharmaceutical spam is pretty low on the priority list. While that may be true, this subset of cyber crime is responsible for starting and maturing many of the trappings that we associate with cyber crime in general: botnet engines, fast-flux obfuscation, spamming, underground forums, cyber crime markets, good service as a distinguisher of criminal support services, and bulletproof-hosting providers. The Story The story really begins with Krebs’s weird symbiotic relationship with Vrublevsky (a.k.a. RedEye and Despduck). Vrublevsky was a Russian businessman and cofounder and former CEO of ChronoPay, the infamous credit card processing company that initially got started in the rogue anti-virus industry. I think it is safe to say that in his heyday, Vrublevsky was a bit of an extrovert. He followed Krebs’s blog religiously and would instigate long conversations with Krebs on stories that were fantastical, true, and everything in between. Vrublevsky would feed Krebs half-truths about what was going on in the industry and left it to Krebs to sort it out. Vrublevsky’s downfall was his deteriorating relationship with his former partner, Dimitry Nechvolod (a.k.a. Gugle). Vrublevsky and Nechvolod founded ChronoPay together in 2003, but by 2006, Nechvolod had left the company to pursue his own interests. He started two pharmacy spam operations called GlavMed and SpamIT. Because of the competition between these two men, the situation escalated out of control to something that Krebs calls the Pharma Wars, which ultimately scuttled the entire pharmaceutical spam industry, not just Vrublevsky and Nechvolod’s operations, but everybody else’s too. Krebs’s main sources of information for this book came from leaked customer and operational databases from these two men. Although Vrublevsky and Nechvolod never admitted it, they both stole the other’s data and leaked it to Krebs. Krebs had many conversations with both Vrublevsky and Nechvolod about their side of the story, and Krebs even traveled to Moscow to interview Vrublevsky personally. From these conversations and other research done by Krebs, we get an inside view of how cyber crime operates in the real world. Krebs set himself seven research questions: • Who is buying the stuff advertised in spam and why? • Are the drugs real or fake? • Who profits? • Why does the legitimate pharmaceutical industry seem powerless to stop it? • Why is it easy to pay for the drugs with credit cards? • Do customers have their credit card accounts hacked after buying? • What can consumers, policy makers, and law enforcement do [about this cybercrime]? For the most part, he answers all these questions. I will not spill the answers here, but I will tell you that I was surprised by every single one. I thought I knew this stuff, but Krebs provides the insight and research to make you re-evaluate what you think you know about illegal pharmaceutical spam operations. Spam Nation is about the Brian Krebs’s story too. Traditional journalists reading this book are going to hate the fact the he plays a key role in most everything that he talks about in this book. His original reporting on bulletproof-hosting providers operating in the US and elsewhere—the Russian Business Network (RBN), Atrivo, and McColo—became that catalyst that eventually got them shut down. This got him noticed by Vrublevsky and started that weird relationship that ultimately led to Krebs receiving the databases from Vrublevsky and Nechvolod. It also led him to leave The Washington Post and to start his Krebs on Security blog. In the background, Krebs introduces us to the key players involved in the development and operations of some of the most infamous botnets that have hit the Internet community in recent history: • Conficker worm (author: Severa; infected 9-15 million computers) • Cutwail botnet (authors: Dimitry Nechvolod (Gugle) and Igor Vishnevsky; 125,000 infected computers; spewed 16 billion spam messages a day) • Grum botnet (author: GeRA; spewed 18 billion e-mails a day) • Festi botnet (operators: Artimovich brothers; delivered one-third of the total amount of worldwide spam) • Rustock botnet (author: COSMA; infected 150,000 PCs; spewed 30 billion spam messages a day) • Storm botnet (author: Severa). • Waledac botnet (author: Severa; spewed 1.5 billion junk e-mails a day) From my reading, Krebs’s unintentional hero of his story is Microsoft. While Vrublevsky and Nechvolod were tearing each other apart and Krebs was trying to sift through what was true and what was not, Microsoft and other commercial, academic, and government organizations were quietly dismantling the infrastructure that these and other illicit operations depended on: • June 2009: 15,000 illicit websites go dark at 3FN after the Federal Trade Commission convinced a northern California judge that 3FN was a black-hat service provider. NASA did the forensics work. • November 2009: FireEye takes down the Mega-D botnet. • January 2010: Neustar takes control of the Lethic spam botnet. • March 2010: Microsoft takes down the Waledac botnet. • October 2010: Armenian authorities take down the Bredolab botnet. • March 2011: Microsoft takes down the Rustock botnet. • July 2011: Microsoft offers a $250,000 reward for information leading to the arrest and conviction of the Rustock botmaster. • July 2012: FireEye and Spamhaus take down the Grum botnet. • July 2013: Microsoft and the FBI take down 1,400 botnets using the Citadel malware to control infected PCs. • December 2013: Microsoft and the FBI take down the ZeroAccess botnet. • June 2014: The FBI takes down of the Gameover Zeus botnet. One takedown masterstroke came out of academia. George Mason University, the International Computer Science Institute, the University of California, San Diego, and Microsoft determined that 95 percent of all spam credit card processing was handled by three financial firms: one in Azerbaijan, one in Denmark, and one in Nevis (West Indies). They also pointed out that these financial firms were in violation of Visa’s own Global Brand Protection Program contract that required fines of $25,000 for transactions supporting the sale of Viagra, Cialis, and Levitra. Once Visa started levying fines, the financial firms stopped processing the transactions. The beauty of this takedown was that this was not a legal maneuver through the courts and law enforcement. It merely encouraged Visa to follow its own policy. Cyber Crime Business Operations For me, one of the most enjoyable parts of Spam Nation is the insight on how these criminal organizations operate. For example, Krebs highlights why pharmaceutical operations have great customer support: they want to avoid the penalty fees associated with a transaction when a buyer of illicit pills charges them with fraud. These are called chargebacks, and pharmaceutical customer support operations avoid them like the plague. These support operations require teams of software developers and technical support staff to be available 24/7. Pharmaceutical operations have mature anti-fraud measures—equivalent to any legitimate bank’s anti-fraud measures—because they need to keep law enforcement and security researchers out of their business. Most spammers do not make a lot of money. The top five do, but not everybody else. Krebs points out that it takes a multibillion dollar security industry to defend against a collection of criminals who are making a living wage. In terms of botnet management, operators rent out top-earning botnets to other operators who do not have the skill to build a botnet themselves. Renters purchase installs and seed a prearranged number of bots with an additional malicious program that sends spam for the affiliate. They pay the rent by diverting a portion of their commissions on each pill sale from spam. Sometimes, that commission is as high as 50 percent. That is why the small-timers do not make any money. Operators launder their money in a process called factoring. They map their client transactions into accounts on behalf of previously established shell companies. They tell the banks that the shell companies are the true customers. Then the operators pay the clients out of their own pockets. Russian law allows FSB agents (Federal Security Service, the successor to the Soviet Union’s KGB), while remaining in the service, to be assigned to work at enterprises and organizations at the consent of their directors. Twenty percent of FSB officers are engaged in this protection business called “Krusha" in Russian, which means “roof” and pharmaceutical spam operations use them as much as possible. Partnerships, called partnerkas, between spammers and dodgy advertisers that act as an intermediary for potential sponsors are essential. In this way, sponsors keep their distance from the illicit aspects of the spam business and can unplug from one partnerka in favor of another whenever they want. Some refer to this as organized crime (think The Godfather), but it is more like a loosely affiliated network of independent operators. With all of these best business practices, you can see why the operators do not see themselves as criminals. They are just businesspeople trying to run a business. The Tech Cyber crime runs on technology. In the pharmaceutical spam business, some tech is unique, and other tech is shared with other kinds of cyber crime operations. Unique to pharmaceutical spam is a technique called black search engine optimization (Black SEO). Pharmaceutical spammers hack legitimate websites and insert hidden pages (IFrames) with loads of pharmaceutical websites links. The more links that the common search engines like Google and Bing index, the higher the pharmaceutical sites get in the priority list when normal users search for pills online. Also unique to the pharmaceutical spam business is a good spam ecosystem. It must have the ability to keep track of how many e-mails the system delivered and how many recipients clicked the link. It must scrub e-mail addresses that are no longer active or are obvious decoys and harvest new e-mail addresses for future operations. Not unique to pharmaceutical spam are the forums. Forums are the glue that allows the loosely affiliated network of independent operators to communicate with each other. Forums are a place that allows newbies an opportunity to establish a reputation and lowers the barriers to entry for a life of cyber crime. There are forums for every language, but most are in English. Members enforce a strict code of ethics so that members who are caught cheating other members are quickly banned. Social networking rankings give members a way to evaluate potential partners. A single negative post may cost an individual thousands of dollars. Because of that, most amicably resolve issues. Sometimes newbies get labeled as a “deer,” members who unintentionally break one of the forum’s rules. More-serious infractions might find a member in the blacklist subforum defending himself or herself from fraud allegations. New forums start all the time, but some have been in existence for more than a decade, indicating process maturity for self-policing, networking, and rapid information sharing. New forums allow open registration, but mature forums set up various hurdles for membership that are designed to screen out law enforcement and hangers-on. Most have sub-rooms for specialization such as the following: • Spam • Cyber banking fraud • Bank account cash-out schemes • Malicious software development • ID theft • Credit card fraud • Confidence scams • Black SEO Forums have many members (tens of thousands in some), but they exist to make money for the administrators. Admins offer additional services to improve the user experience. They offer escrow services—a small percentage of the transaction cost held until both sides agree that the other held up its end of the bargain—and stickies—ads that stay at the top of their sub-forums that range in price from $100 to $1,000 per month. Conclusion In Spam Nation, Brian Krebs covers a key portion of our cyber security and cyber crime history: 2007– 2013, that period when we started to learn about the Russian Business Network, bulletproof-hosting providers, fast-flux obfuscation, criminal best business practices, underground cyber crime forums, and strange-sounding botnet names like Conficker, Cutwail, Grum, Festi, Rustock, Storm, and Waledac. This period just happens to coincide with Krebs’s rise in popularity as one of the leading cyber security journalists in the industry. His story, and the story of two competitive pharmaceutical spammers who eventually destroyed the lucrative moneymaking scheme for all players, is a fascinating read. It is definitely a cyber security canon candidate, and you should have read this by now. Sources “Spam Nation: The Inside Story of Organized Cybercrime - from Global Epidemic to Your Front Door,” by Brian Krebs, published by Brilliance Audio, 18 November 2014, last visited 13 November 2014, https://www.goodreads.com/book/show/2... References “Blue Security folds under spammer's wrath,” by Robert Lemos, Security Focus, 17 May 2006, last visited 13 November 2014, http://www.securityfocus.com/news/11392 “Click Trajectories: End-to-End Analysis of the Spam Value Chain,” by Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Mark Felegyhazi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, and Stefan Savage, last visited 13 November 2014, http://cseweb.ucsd.edu/~savage/papers... “Experts Warn of New Windows Shortcut Flaw,” by Brian Krebs, Krebs on Security, 10 July 2010, last visited 13 November 2014 http://krebsonsecurity.com/2010/07/ex... “Krebs on Security: In-depth security news and investigation,” by Brian Krebs, last visited 14 November 2014, http://krebsonsecurity.com/ “PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs,” by Damon McCoy, Andreas Pitsillidis, Grant Jordan, Nicholas Weaver, Christian Kreibich, Brian Krebs, Geoffrey M. Voelker, Stefan Savage, and Kirill Levchenko, Usenix, August 2012, last visited 13 November 2014, http://www.cs.gmu.edu/~mccoy/papers/p... and https://www.usenix.org/conference/use... “Russian Business Network Study,” by David Bizeul, 11 November 2007, last visited 12 November 2014, http://www.bizeul.org/files/RBN_study... “Shadowy Russian Firm Seen as Conduit for Cybercrime,” by Brian Krebs, The Washington Post, 13 October 2007, last visited 12 November 2014, http://www.washingtonpost.com/wp-dyn/... “The Partnerka – What Is It, and Why Should You Care?” by Dmitry Samosseiko, Sophos, Virus Bulletin, September 2009, last visited 13 November 2014, http://www.sophos.com/medialibrary/PD... “The Sleazy Life and Nasty Death of Russia’s Spam King,” by Brett Forrest, Wired Magazine, August 2006, last visited 13 November 2014, http://archive.wired.com/wired/archiv... “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns,” by Brett Stone-Gross, Thorsten Holz, Gianluca Stringhini, and Giovanni Vigna, last visited 13 November 2014, https://www.iseclab.org/papers/cutwai... “Top Spam Botnets Exposed,” by Joe Stewart, SecureWorks, 8 April 2008, last visited 13 November 2014, http://www.secureworks.com/cyber-thre... ...more |
Notes are private!
|
1
|
Nov 11, 2014
|
Dec 13, 2014
|
Nov 11, 2014
|
Audio CD
| ||||||||||||||
077043617X
| 9780770436179
| 077043617X
| 4.17
| 7,501
| Jun 03, 2014
| Nov 11, 2014
|
it was amazing
|
Zetter can really write and accomplishes a major feat here. She covers a lot of ground from the extremely technical to the geo-political. The story of
Zetter can really write and accomplishes a major feat here. She covers a lot of ground from the extremely technical to the geo-political. The story of Stuxnet has been complicated from the start and it takes somebody like Zetter to pull everything together into a comprehensive narrative. I am writing the full book review now, but this is a really fine book and is cybersecurity canon worthy.
...more
|
Notes are private!
|
1
|
Nov 14, 2014
|
Dec 30, 2014
|
Nov 07, 2014
|
Hardcover
| |||||||||||||||
1593275099
| 9781593275099
| 1593275099
| 4.08
| 251
| Jul 22, 2013
| Jul 15, 2013
|
it was amazing
|
You can read all of the book reviews in the Cybersecurity Canon here:https://paloaltonetworks.com/threat-r... Executive Summary Richard Bejtlich is one You can read all of the book reviews in the Cybersecurity Canon here:https://paloaltonetworks.com/threat-r... Executive Summary Richard Bejtlich is one of the most respected security practitioners in the community. If he publishes something, we should all take notice. In The Practice of Network Security Monitoring, Bejtlich provides the theory and the hands-on tutorial on how to do network security monitoring the right way. The book is a primer on how to think about network security monitoring and incident response. For seasoned security practitioners, working through the examples in this book will only increase your understanding of the subject. For the beginners in the crowd, Bejtlich provides step-by-step instructions on how to install, configure, and use some of the best open-source tools available that will help any security program improve its network security monitoring capability. Newbies working through the examples in this book will demonstrate to themselves, once and for all, if they have what it takes to work in this field. This book is absolutely a Cybersecurity Canon Candidate and you should have read it by now. Introduction I have been a fan of Bejtlich for a long time. He has been a cyber security book reviewer for many years and he was the inspiration for me to start doing my own book reviews. He is a no-nonsense kind of guy and has been practicing and advancing the craft of network security monitoring and incident response since he started in the industry as a US Air Force officer in 1998. Since then, he has risen in the ranks at some prominent security-minded companies—Foundstone, ManTech, and GE—and today he is the chief security strategist for FireEye. He knows a thing or two about network security monitoring and response. I happen to agree with his general philosophy of cyber security defense, and this book provides an introduction to that philosophy as well as an in-depth, hands-on look at the best open-source tools available. The book is a primer on how to think about network security monitoring and incident response, and for the beginners in the crowd, it provides step-by-step instructions on how to install, configure, and use some of the best open-source tools available that will help any security program improve its network security monitoring capability. I am often asked what skills a wannabe cyber security analyst needs to get into the cyber security industry. My glib go-to answer, and the first question I ask any candidates asking to work for me is, can you install a Linux distribution on your home computer? If a newbie cannot get through that basic exercise, he or she should probably seek employment somewhere else. After reading this book though, I plan to up my game. My new question is, can you work through all of the examples in this book and make sense of it all? If you can, you may have a future in the cyber security industry as a SOC analyst or an incident responder. If you struggle with this book, then cybersecurity might not be for you. The Network Security Monitoring Story In my own career, I have routinely seen organizations buy and deploy every shiny and new cybersecurity tool that they could get their hands on and deploy them within the enterprise. Their leadership’s grand strategy seemed to be that shiny equals good. In my early days, I may have even subscribed to that theory. Today, I do not have the energy to chase every bright light that appears on the cyber security market. I mostly just want to see what I have already deployed work the way that I thought it should when I originally bought it. Network Security Monitoring Is More Than Just a Set Of Tools Buying and deploying new technology is relatively easy compared to training the people and developing the processes necessary to fully use it. Organizations tend to forget this. They think that if they just buy the latest tool—pick your tool, it does not matter which one—that it will miraculously configure itself, monitor itself, and forcefully eject any intruders by itself. In the real world, this does not happen. Bejtlich agrees: “Products and technologies are not solutions. They are just tools. Defenders (and an organization’s management) need to understand this. No shiny silver bullet will solve the cybersecurity problem. Attacks have life cycles, and different phases of these life cycles leave different evidence in different data sources that are best exposed and understood using different analysis techniques. Building a team (even if it is just a team of one) that understands this and knows how to effectively position the team’s assets (including tools, people, and time) and how to move back and forth between the different data sources and tools is critical to creating an effective incident response capability.”[1] In a previous job, I had all of the best toys pumping mountains of data to a 24/7 security operations center, but finding an advanced adversary in all of that data was way too hard. The SOC analysts performed Herculean tasks, but we did not have the processes in place, nor the people trained to develop the processes, to fully use all of that advanced technology. It was frustrating. The bottom line is that if you buy the tool, make sure you spend some resources training your people and developing a plan to incorporate the tool into your overall security program. Bejtlich also says that your traditional tools are not going to help much with our brand new cloud environments.[1] Customers of cloud environments just do not have access to the networks that a network security monitoring team needs. As we move more and more to the cloud, this can be either a liability or a major opportunity for a young entrepreneur to solve the problem. Operate Like You Are Compromised: Kill Chain Analysis In a previous blog, I said that kill chain analysis is one of the three great innovations that have come down the pipe from the security community this past decade.[2] Bejtlich says that Lockheed Martin’s paper on kill chain analysis[3] is unique because followers of the philosophy align their security program along the same lines that adversaries must use to penetrate their victim’s network. He confirms the notion that I have had for a few years now that the very old “defense-in-depth” model—which we all adopted in the early 1990s to keep the adversary out of our networks—is dead. It is simply not possible. On the other hand, it does not necessarily mean that you have a disaster on your hands just because one or more adversaries manage to work their way down a couple of links of your kill chain.[3] The idea is to detect these adversaries before they can accomplish their ultimate goal: crime, espionage, hacktivism, warfare, mischief, or whatever. Bejtlich says, “Prevention eventually fails … Rather than just trying to stop intruders, mature organizations now seek to rapidly detect attackers, efficiently respond by scoping the extent of incidents, and thoroughly contain intruders to limit the damage they might cause.”[1] My own personal goal is early detection, quick eradication, and automatic prevention of those observed attacks going forward before these adversaries can claim victory. With the old defense-in-depth model, we were trying to prevent all penetrations into the network. Bejtlich says, “It’s become smarter to operate as though your enterprise is always compromised.”[1] Kelly Jackson Higgins interviewed Steve Adegbite, the director of cyber security for Lockheed Martin (LM), in 2013 regarding how LM used kill chain analysis to discover that the company’s RSA token deployment had been compromised.[4] Adegbite said that "The goal of the Kill Chain is to make sure [the adversaries] don't get to step 7 [of the Kill Chain] and exfiltrate.”[4] In other words, it is acceptable for adversaries to penetrate your networks as long as you have installed the processes to contain the damage they might cause. Network Security Monitoring as a Decision Tool, Not a Reaction Process Bejtlich’s take on network security monitoring is subtly different than what I would expect from most other security practitioners who have not had a lot of experience actually doing it. According to Bejtlich, these practitioners use network security monitoring for forensics and troubleshooting.[1] His take is to use the discipline as a decision tool for how to contain the detected adversary. He also believes you have to measure your team’s effectiveness by measuring things like * How long it takes to detect adversaries once they have entered your network * How long it takes to contain adversaries once you have detected them In the 2014 Verizon Data Breach report,[5] researchers show that of the 1,367 known data breaches in 2013, security teams discovered less than 25 percent of them (341) within days of the initial compromise. Security teams discovered the rest (1,026) many days and weeks later. Bejtlich says that for a network security monitoring program do be effective, teams must measure how they reduce that time.[1] Incident Response and Threat Intelligence Go Together Bejtlich talks about the various approaches to handle a breach within your organization. Some incident response teams elect to identify the compromised asset, take it offline, maybe do some forensics on it, re-image it, and then put it back online so that they can wait for the next breach to happen. I call this the whack-a-mole approach to incident response. This process provides you no context about what the adversaries did and why. Other organizations engage their threat intelligence group and are able to understand the impact of what these adversaries are trying to accomplish. Bejtlich explains that incident response teams can frame the attacks from different perspectives: a threat-centric approach andBottom of Form an asset-centric approach.[1] He says that threat intelligence teams track adversaries by campaigns but that incident response teams respond to the adversary’s actions in waves.[1] He provides practical guidance about what kind of skills and capabilities an incident response team and intelligence team require. So that’s the story: build a network security monitoring program by deploying the right tool, training your people how to use the tool properly, and developing the processes necessary to incorporate the tool into the overall program. Assume that your network is already compromised, and aggressively track adversaries down the kill chain. Remember, the network security monitoring team’s goal is to prevent adversaries from accomplishing their goals. Use the program to make decisions about how to contain the adversary quickly and efficiently, and use your intelligence team to understand the context of how and why the adversary is attacking your network. Let’s talk about the tech. The Network Security Monitoring Tech This is where it gets really good. The theory is one thing—and I like the theory part—but the actual doing is what really matters. Bejtlich provides a hands-on tutorial on how to deploy the best open-source tools to do network security monitoring. If you are a young person thinking that you want to be a cyber security professional or if you are transitioning careers and you think cyber security is something you can handle, get this book and work through the examples. If you can do them, then I want to talk to you about a job. If you can’t, then maybe consider a less technically demanding career. Bejtlich says that there are two types of network security monitoring data: full content and extracted content. He says that network security monitoring tools help analysts review these different data types and make a decision about containment based on an organization’s network security process. [1] He points practitioners to Doug Burks’ Security Onion (SO) distribution to get three types of tools: data collection, data presentation, and packet analysis. Data Collection Tool: Argus Data Presentation Tools: Tcpdump Tshark (the command line version of Wireshark) Argus’s Ra client Dumpcap in concert with Tshark Packet Analysis Tools: Wireshark Xplico NetworkMiner Conclusion Richard Bejtlich is one of the most respected security practitioners in the community. If he is speaking somewhere, take the time to hear what the man has to say. The same goes for his writing. If he publishes something, we should all take notice. In The Practice of Network Security Monitoring, Bejtlich provides the theory of and the hands-on tutorial on how to do network security monitoring the right way. He tells you why you should be doing it and how it should work together, and he gives you step-by-step instructions on how to deploy and use the best open-source tools available. If you are already a seasoned security practitioner, working through the examples in this book will only increase your understanding of the subject. If you are a newcomer to the subject, working through the examples will indicate once and for all if you have what it takes to work in this field. This book is absolutely a cyber security canon candidate, and you should have read it by now. Sources [1] "The Practice of Network Security Monitoring: Understanding Incident Detection and Response, " by Richard Bejtlich, No Starch Press, 2 August 2013, last visited 29 September 2014, https://www.goodreads.com/book/show/1... [2] "Help Me Obi Wan – You’re My only Hope: Three Cyber Security Innovations to Give You Courage," by Rick Howard, Terebrate, 10 June 2013, last visited 30 September 2014, http://terebrate.blogspot.com/2013/06... [3] "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," by Hutchins, Cloppert & Amin, Lockheed Martin Corp., 2011, last visited 29 September 2014, http://www.lockheedmartin.com/content... [4] "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack," by Kelly Jackson Higgins, DarkReading, 12 February 2013, last visited 30 September 2014, http://www.darkreading.com/attacks-br... [5] "2014 DATA BREACH INVESTIGATIONS REPORT," by Verizon, 2014, last visited 1 October 2014, http://www.verizonenterprise.com/DBIR... ...more |
Notes are private!
|
1
|
Apr 13, 2014
|
Oct 06, 2014
|
Apr 13, 2014
|
Paperback
| |||||||||||||||
0321246772
| 9780321246776
| 0321246772
| 4.27
| 133
| Jul 01, 2004
| Jul 15, 2004
|
None
|
Notes are private!
|
1
|
not set
|
not set
|
Jun 27, 2013
|
Paperback
| ||||||||||||||||
0321812573
| 9780321812575
| 0321812573
| 3.90
| 41
| Jan 01, 2012
| Jan 24, 2012
|
liked it
|
Executive Summary The authors have reviewed more than 700 cases of insider threat attacks and developed a comprehensive list of mitigation controls tha Executive Summary The authors have reviewed more than 700 cases of insider threat attacks and developed a comprehensive list of mitigation controls that might have prevented them. The book is not very well organized, but the content represents the authoritative source on precursor behavior that may illuminate potential insider attacks. In that regard, it is a must-read for cyber security professionals. What is clear from reading the book is that there is no technical solution that will prevent insider attacks. Technology can aid in discovery, but it is not a panacea; it will not prevent a determined inside attacker. A good program will accomplish four tasks: 1: Train employees and their managers to watch for the signs of potential insider threat behavior. 2: Provide the mechanisms across the organization to report and review the activity. 3: Establish and maintain the apparatus to report potential abuse and respond to incidents when necessary. 4: Mitigate the risk before any damage is done. The key to the entire program is the human element, and that is why defending against the insider threat is hard. Full review at http://bit.ly/1gDlUnt ...more |
Notes are private!
|
1
|
Jul 14, 2013
|
Oct 22, 2013
|
Dec 21, 2012
|
Hardcover
| |||||||||||||||
031261246X
| 9780312612467
| 031261246X
| 3.56
| 5,800
| Mar 2011
| Mar 15, 2011
|
liked it
|
Link to my personal blog review: http://bit.ly/15mOe5w Executive Summary: I recommend this book for the casual reader that is interested in cyber securi Link to my personal blog review: http://bit.ly/15mOe5w Executive Summary: I recommend this book for the casual reader that is interested in cyber security topics. It is not a must-read if you are already a cyber security professional. You probably already know about most of the topics covered. However, if you have friends and family that wonder what you do every day, you might hand this to them as a primer. And, if you are looking for some pretty good reading material for your next beach vacation, you could do a lot worse. “Zero Day” is a fun political thriller that shows computer security geeks saving the day. In it, Russinovich describes the nature of cyber crime and how a cyber terrorism campaign might be launched against the US. Review: I appreciate what Mr. Russinovich is trying to do with this novel: Tell an exciting, “Die Hard-ish” story with interesting cyber security people and realistic tech and, at the same time, inform the general reader about how dangerous the current state of the cyber security environment is. In a presentation that Russinovich did at RSA last year to supplement this book, he quoted Senator Joe Lieberman: “To me it feels like it is September 10 2001. The system is blinking red – again. Yet we are failing to connect the dots – again [2].” One of the reasons I started this blog was to talk about novels that do this very thing. Russinovich has devoted two books to the idea. This one and the sequel called “Trojan Horse” that he published in 2012. Well done sir. He is also a geek of the highest order. He is a Microsoft Technical Fellow, a co-founder of the famous Sysinternals website [3] and he was the guy that discovered the root kit that Sony BMG installed on its music CDs back in 2005 [4]. The good guys in the story are a Mr. Jeff Aiken, an überkind computer security consultant with a past, and Daryl Haugen, the US CERT director and no slouch in the technical prowess department. These two fight the US government bureaucracy in an effort to defeat a follow-on 911 cyber-attack that is intended to destroy a significant portion of every data system in the US. Along the way, the reader is treated to colorful descriptions of malicious code attacking an on-board in-flight aircraft computer system causing a near-crash, adjusting the geo-positioning system on a large oil tanker that causes a harbor crash and the spillage of millions of tons of crude oil into the harbor, tinkering with the Supervisory Control and Data Acquisition (SCADA) systems in multiple nuclear power plants, and controlling multiple manufacturing robots on an assembly line that eventually causes the murder of one of the human technicians. The main hacker in the story is Superfreak (AKA Vladmir Koscov), a Russian engineer who has found a way to make a pretty good living building elite malicious code for his benefactors. His benefactors are two Islamic brothers with ties to Osama bin Laden and who are intent on striking the US another significant blow after the first 911 attacks. One of the brothers even makes a special pilgrimage across the desert to receive his mission from Osama bin Laden personally. Russinovich uses this Tom Clansy-ish plot to push the story forward. Along the way, he takes the time to explain the cyber security environment to the average reader. He provides decent descriptions of the classic “Salami Slice” bank hack (See the movies “Superman III” or “Office Space” or “Hackers”) [5], the game-changing Slammer Worm attack of 2003 that compromised every machine on the planet that it was going to compromise in 10 minutes (Some 75,000 victims) [6], the E-Gold Money Laundering scheme (a blackhat internet service that was popular for a few years in the 2000s) [7], and what a zero day vulnerability is [8]. He makes the point about why the US is vulnerable to the plot’s cyber terrorism evil plan compared to other nations based on how completely the US has embraced the internet for day-to-day business. This is the asymmetry problem described by Clarke in his Cyber Warfare book and the leverage that China has been taking advantage of for the past decade [9]. I first read this book when Russinovich published it back in 2011. Although I enjoyed it, I did not put it on my list of “Books I recommend to my cyber security geek friends.” The reason I did not was that the character portraits that Russinovich paints just did not ring true. I mean all the good-guy main characters were geniuses and beautiful (men and women). He describes the two main women geeks as off-the-charts elevens (on a 1-10 scale). I have known a lot of geeks in my life. Although many were geniuses in their own right, “Beautiful” is not an adjective that would come to mind first to describe their physical appearance (present company included). Most of the geeks that I hang around with are happy just have a female in the room. Traditional Hollywood-style beauty is not normally in the equation (for both the men and the women). The main computer geek, Jeff, had discovered that the 911 attacks were going to happen before they did (because of his “mad” computer skills) and was prevented from warning the nation because of a misguided bureaucrat. The last half of the book describes the two main characters traipsing around the world (France and Russia) on their own trying to eliminate the threat. I love my geek friends and most of us have large egos that make us believe we are way more important than we really are, but most of this is out of our comfort zone. Finally, the straw that broke the camel’s back for me was the fact that the same evil bureaucrat that prevented Jeff from warning the nation about the 911 attacks was the guy that the terrorists in this book turned in order to gain information to launch this second wave attack. That plot point was a little too “On the nose” if you know what I mean. On a second reading though, I have changed my mind. Russinovich is not doing anything here that is not done by other authors in other books of this political thriller genre. The heroes in all of these books (and movies) are geniuses and beautiful. It is why we like to read these things. What jarred me at the first reading was that I was not expecting to see that formula applied to my peeps. I imagine the experience is similar to what normal cops and government spies do when they see their counterparts described in books and movies. I am sure there is a lot of eye-rolling going on about what a real cop does compared to a hero cop in a novel. Russinovich did not write this book for me. He wrote it for the masses. Once I got passed this idea, it was easier for me to be less critical. This book is not a must-read if you are already a cyber security professional. You probably know about most of the topics covered. However, if you have friends and family that wonder what you do every day, you might hand this to them as a primer. And, if you are looking for some pretty good reading material for your next beach vacation, you could do a lot worse. “Zero Day” is a fun political thriller that shows computer security geeks saving the day. How is that not a great way to waste some time on the beach? Sources: [1] “Announcing Trojan Horse, the Novel,” by Mark Russinovich, Mark Russinovich’s Blog, 8 May 2012, Last Visited 6 February 2013 http://blogs.technet.com/b/markrussin... [2] “ZeroDay – A non-Fiction View,” by Mark Russinovich, RSA Conference 2012, 23 March 2012, Last Visited 13 February 2013 http://www.youtube.com/watch?v=SX7Lxv... [3] “Windows Sysinternals,” by Mark Russinovich and Bryce Cogswell, Microsoft, , Last Visited 13 February 2013 http://technet.microsoft.com/en-us/sy... [4] “Sony Rootkits and Digital Rights Management Gone too Far,” by Mark Russinovich, Mark Russinovich’s Blog, 31 October 2005, Last Visited 13 February 2013 http://blogs.technet.com/b/markrussin... [5] “What is Salami Slicing,” by WiseGeek, , Last Visited 13 February 2013 http://www.wisegeek.com/what-is-salam... [6] “Inside the Slammer Worm,” by D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, CAIDA: The Cooperative Association of Internet Data Analysis, August 2003, Last Visited 13 February 2013 http://blogs.technet.com/b/markrussin... [7] “E-Gold Pleads Guilty to Money Laundering,” by Robert Lemos, Security Focus, July 2008, Last Visited 13 February 2013 http://www.securityfocus.com/news/11528 [8] “Vulnerability Trends,” by Symantec, Last Visited 13 February 2013 http://www.symantec.com/threatreport/... [9] “Book Review: Cyber Warfare: The Next Threat to National Security and What to Do about It,” by Rick Howard, Terebrate, 21 January 2013, Last Visited 13 February 2013 http://terebrate.blogspot.com/2013/01... ...more |
Notes are private!
|
1
|
not set
|
not set
|
Jul 08, 2012
|
Hardcover
| |||||||||||||||
0061962236
| 9780061962233
| 0061962236
| 3.73
| 2,402
| Apr 20, 2010
| Apr 20, 2010
|
really liked it
|
My Blog (Terebrate) review of this book: http://bit.ly/V1Sv6Y Executive Summary: I recommend this book. It is essential to the cyber warrior who needs My Blog (Terebrate) review of this book: http://bit.ly/V1Sv6Y Executive Summary: I recommend this book. It is essential to the cyber warrior who needs to understand the historical context around the evolution of defending any nation in cyber space. For international policy makers, it is a good place to start for a real discussion about substantive policies that the international community should consider. For the commercial security folks, read this book if you want insight into how government policy makers frame the problem and what they would want to implement if they could. Even if you do not agree with the policies, you will understand what they want. Clarke and Kane discusses the nature of cyber warfare, cyber espionage, cyber crime and cyber terrorism and provide specific examples of cyber warfare and cyber espionage. Review: Since 2009, a plethora of books have hit the market that discuss the issue of cyber warfare. Here are just a few: Apr 2009: Cyberpower and National Security (National Defense University) by Franklin D. Kramer, Stuart H. Starr and Larry Wentz Nov, 2009: Cyberdeterrence and Cyberwar by Martin C. Libicki Jan, 2010: Inside Cyber Warfare: Mapping the Cyber Underworld by Jeffrey Carr Apr, 2010: Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke and Robert Knake Jul, 2010: Surviving Cyberwar by Richard Stiennon Jun, 2011: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by Jason Andress and Steve Winterfeld Sep, 2011: America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare by Joel Brenner I have read two (Winterfeld’s and now Clarke’s) and I am working my way down the list, but I wanted to read this one sooner than later because of Clarke’s background. Before he retired from government service, he served three different US Presidents: the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cyber Security [1]. Besides, I just finished reading his novel “Breakpoint,” about a significant cyber threat to the US and thought he got most of the technical stuff right [2]. I figured he might have something smart to say about Cyber War. Clarke and Kane published this in April 2010, just months short of when the public became aware of STUXNET [3]. Some of the things he suggests for ways forward suffer because of that game changing event, but for the most part, I like what he brings to the table. But because of his background, this book is about policy and not really about how a nation might deploy assets in a cyber war. Specifically, it is about what the US should consider adopting going forward when considering the implications of an all-out cyber war. He starts with a history of cyber events to demonstrate why we need the policy. He covers the usual suspects and adds one or two for which I had not previously heard: (1997) CND: Eligible Receiver: US Red Team exercise that showed how vulnerable the DOD is to cyber attack [4]. (1998) Espionage: Moonlight Maze: Massive government and government-contractor data exfiltration traced back to a Russian mainframe; attribution: likely Russian government [5][6]. (1999) Warfare: “Unrestricted Warfare” Book by Chinese military leaders that crystalizes China’s thoughts on asymmetric warfare [7]. (2003) Espionage: Titan Rain: Widespread compromise and data exfiltration of US government and US-government-contractor systems; attribution: likely Chinese government [8]. (2003) Warfare: US Compromise of Iraq Email System prior to launch of 2d Iraq War [9]. (2007) Warfare: DDOS attack against Estonia; attribution: likely Russian government [7]. (2007) Warfare: US-Israeli DOS attack against Syrian Air Defense Systems [10]. (2008) Warfare: DDOS attack against Georgia; attribution: likely Russian government [7]. (2009) Warfare: DDOS attack against US and South Korean targets; attribution: likely North Korean government [11]. Notice that some of these events are not really about cyber warfare at all. Two are strictly cyber espionage related (Moonlight Maze and Titan Rain). One is purely Computer Network Defense (Eligible Receiver). Some (Estonia and Georgia) just barely meet Clarke’s cyber warfare definition: “[T]he term “cyber war” … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” But all of these events have shaped Clarke’s thoughts on what to do about cyber warfare. “Eligible Receiver” proved that DOD networks are vulnerable. Even after a decade, you could make the case that DOD networks are as porous today as they were back in 1997 [12][13]. “Moonlight Maze” was the proverbial wakeup call though. A year before the Chinese figured out what Asymmetry is, somebody from Russia broke into a large number of government systems and stole truckloads of data. I believe this is the first documented public cyber espionage case. A year later, the Chinese crystalized their thoughts about how useful asymmetry might be in a coming conflict with the US. The Chinese watched how successful the Americans were in the first Iraq war but also how dependent on technology the US Army was in its efforts. Chinese military leaders believed that a nation that was not as strong militarily (China) could leverage an existing asymmetry by concentrating on defeating the technology first and not the tanks, air craft carriers and fighter jets that they were no match for. According to dictionary.com, Asymmetry means a “Disproportion between two or more like parts [14].” Clarke says that when a nation sits on the high end of that equation (the US for example), they have a high degree of “cyber dependence.” In other words, that nation depends greatly on cyber for it to function. If that is out of balance, an asymmetric advantage develops and cyber defense is more important than cyber offense. The Chinese wanted to take advantage of that and published their first thoughts about the idea in that “Unrestricted Warfare” book. Four years later, “Titan Rain” proved again how weak the DOD networks were and how successful the Chinese had been in pursuing their asymmetric vision. From there, Clarke describes examples of how various nation states have experimented with Cyber Warfare in the past: US, Russia, Israel and North Korea. With this history lesson complete, Clarke makes the case that the US defenses against these kinds of attacks are weak, both for government networks and for commercial networks, and spends the rest of the book talking about what should be done about it. Clarke’s bottom line is that, painful as it might be, the US will require sweeping new laws, regulations and policy in order to protect the nation from this threat. He points out that Cyber Command is responsible for defending the DOD networks and that the Department of Homeland Security is responsible for protecting the non-DOD government networks. Nobody is responsible for protecting the commercial side. That seems short sighted when you lay it out like that, but in truth, the commercial side really wants no part of US government help when it comes to defending their own networks. Let’s face it, the government’s track record is not that good. About the only thing the commercial side wants from the government is their intelligence feed. This stand-off between the US government and the commercial sector has been going on for well over a decade. Clarke’s point is that enough is enough. Tough decisions are required. He proposes the Defense Triad Strategy: 1: Secure the US Backbone 2: Secure the US Power Grid 3: Install security best practices on all government networks (NIPRNET /SIPRNET /JWICS) I totally agree with the first one. Today, the US internet is a conglomeration of commercial ISPs who interconnect with each other as the business need demands. Their connections to each other and to the rest of the world are based on business decisions. While all of the big ones cooperate with each other and with the US government, their first priority is to make money. If a large scale attack on the financial system, for example, is launched from a foreign adversary, the US government has no first hand means to monitor the situation. They have to depend on the generosity of the commercial sector to share information. Today, most of these commercial companies willingly share with the government, but the system is inefficient and will likely not prevent the first wave of attacks. Clarke’s point is that somebody from the government should be monitoring the US cyber perimeter. Privacy advocates will scream and detractors will point out that it is equally possible to launch an attack against the food system from within the US as it is from a foreign country. Clarke acknowledges those issues but advocates that just because they will be controversial does not mean we should not address them. For Clarke’s second point, I was a little skeptical at first. Why single out power as the first priority among 18 different critical infrastructure sectors such as banking, and food. After a little thought though, it is clear that power is the lynchpin for the entire shooting match. The reason the US is cyber dependent is because it has reliable power distributed across the entire nation. Take that out and the rest of the 18 critical infrastructure sectors come tumbling down after it. For his last point, it is a little sad that we have to say this. The US Government should install basic best practice security measures (like need-to-know network segmentation, file encryption, and host-based intrusion detection technology) across all of its networks. The fact that the government has not done this is a little scary, but it is my experience that this is not an act of incompetence. It really comes down to cost. The US government networks are some of the largest in the world. To install all of that technology on every laptop and computer on three different networks is not cheap. In a world of limited resources, when you compare the tradeoff between buying file encryption software to, say, buying body armor for deployed soldiers, file encryption is going to lose every time. Clarke realizes that it is unlikely that any US leader will be able to push through these radical ideas from the start. In order to get there, he proposes six paths that the international community should work in parallel: 1: Broad public dialog about cyber war 2: Create the Defensive Triad 3: International cooperation on Cyber Crime 4: Cyber Arms Reduction beginning 5: R&D for more secure networks 6: President is required to make decision on Computer Network Attack (CNA) Number three is a no-brainer. Why does the world tolerate things like spamming organizations and botnets? In my naive fantasy world, I can see world leaders, perhaps sitting around the negotiating table at the UN, deciding that these kinds of things will not exist and whenever one is discovered, every nation pitches in to dismantle them. OK, so this might not be realistic, but I think there is a lot more common ground here then there is disagreement. For cyber arms reduction, Clarke comes from the nuclear world and it makes sense that he would try to apply the successes that world has achieved in the cyber space arena. I am not quite sure what would come of those discussions especially since the US has decided that Computer Network Attack (See Stuxnet [3]) is a viable middle ground to influencing nations in the middle east as compared to deploying troops or dropping bombs, but perhaps the international community can agree on big ticket items like not attacking each other’s power grids. But, by all means, let’s bring the leaders to the table and see what comes of it. For number three (Cyber arms reduction) and number four (presidential decision making), this is where Clarke did not benefit from knowing about Stuxnet prior to publishing his book. For the attacks against the Iranian uranium enrichment facility, President Bush moved the operation under Title 50 authority; the intelligence channels. Using something called Presidential Findings, the US President is authorized to approve covert missions. These cyber operations fall loosely into the same legal category as drone operations in the Middle East and the assassination of Osama Bin Laden in Pakistan. A Presidential Finding is a written description of a covert action that must be shared with the appropriate intelligence committees in Congress. They describe influence actions against political, economic or military objectives [15]. The good news is that one of the six parallel paths on Clarke’s list is already done. I have one side note to discuss before I finish this review. Clarke describes how the US Air Force, Navy and Army have progressed in the cyber arena since “Moonlight Maze.” He was not kind to the US Army: "If the Army sounds like the least organized of the services to fight cyber war, that is because it is." Some of you may know that my last job in Army was running the Army Computer Emergency Response Center (ACERT) right around the Titan Rain timeframe. My job was to coordinate actions across the cyber spectrum: Defense, Exploitation and Attack. When I was there, we were breaking new ground trying to figure out how to operate in this new space. General Alexander, now the NSA Director and the commander of Cyber Command, was my senior rater. Some of the things he is doing at the national level at Cyber Command, he experimented first as the INSCOM Commander in charge of the ACERT. I admit that hearing that the Army has fallen so far behind the other services in this arena stings a bit. To be fair though, the Army has been fighting two land wars in the Middle East for the past decade. Their leadership may have had one or two other pressing issues to worry about then developing their cyber capability. I recommend this book. At the very least, an open and frank discussion of Clarke’s six parallel paths between international government leaders and commercial business leaders would not be a bad thing. Nothing can happen if we do not put everything on the table and discuss it. We can use Clarke’s book to get the conversation started. Sources: [1] “Bio: Richard A. Clarke,” Cyber War by Richard A. Clarke and Robert K. Knake, Last Visited: 1 January 2013 http://www.richardaclarke.net/bio.php [2] “Book Review: “Breakpoint (2007)” by Richard Clarke,” By Rick Howard, Terebrate, 1 Jan 2013, Last Visited 21 January 2013 http://terebrate.blogspot.com/2013/01... [3] “A Declaration of Cyber-War” by Michael Gross, Vanity Fair, April 2011, Last visited 20 January http://www.vanityfair.com/culture/fea... [4] “Cyberwar Timeline,” By Mark Clayton, The Christian Science Monitor, 7 March 2011, Last Visited 19 January 2013 http://www.csmonitor.com/USA/2011/030... [5] “Cyberattack [Moonlight Maze] Reveals Cracks in U.S. Defense,” By Elinor Abreu, PCWworld, 9 May 2001, Last Visited 20 January 2013 http://www.pcworld.com/article/49563/... [6] “Cyberwar [Timeline],” By Frontline, 24 April 2003, Last Visited 20 January 2013 http://www.pbs.org/wgbh/pages/frontli... [7] “Establishing a Cyber Warfare Doctrine,” By Adrew Colarik and Lech Janczewski, Journal of Strategic Security, Volume 5, Issue 1, pg 31-48, 2012, Last Visited 19 January 2013 http://scholarcommons.usf.edu/cgi/vie... [8] “Inside the Chinese Hack Attack [Titan Rain],” By Nathan Thornburgh, Time Magazine, 25 August 2005, Last Visited 20 January 2013 http://www.time.com/time/nation/artic... [9] Note: I could find no other sources corroborating this fact [10] “Israeli sky-hack switched off Syrian radars countrywide Backdoors penetrated without violence.” By Lewis Page, The Register, 22 November 2007 http://www.theregister.co.uk/2007/11/... [11] “North Korea launched cyber attacks, says south,” By Associated Press, theGuardian, 11 July 2009 http://www.guardian.co.uk/world/2009/... [12] “Computer Spies Breach Fighter-Jet Project [F-35],” By Siobahn Gorman, The Wall Street Journal, 21 April 2009, Last Visited 20 January 2013 http://www.darkreading.com/security/n... [13] “Chinese Hackers Stole Plans for America's New Joint Strike Fighter Plane [F-35], Says Investigations Subcommittee Chair,” By Christopher Groins and Pete Winn, The Wall Street Journal, 25 April 2012, Last Visited 20 January 2013 http://cnsnews.com/news/article/chine... [14] “Asymmetry,” By Dictionary.com, Last Viewed January 2013 http://dictionary.reference.com/brows... [15] Note: I got this information from an interview I conducted with a military lawyer in the fall of 2012. That lawyer wishes to be an anonymous source. ...more |
Notes are private!
|
1
|
Sep 23, 2012
|
Jan 13, 2013
|
Jun 26, 2012
|
Hardcover
| |||||||||||||||
1416507787
| 9781416507789
| 1416507787
| 4.28
| 14,452
| 1989
| Jan 01, 2005
|
it was amazing
|
From my Blog Site: http://bit.ly/11P0xZC Executive Summary This book is a part of the cyber security canon. If you are a cyber security professional, y From my Blog Site: http://bit.ly/11P0xZC Executive Summary This book is a part of the cyber security canon. If you are a cyber security professional, you should have read this by now. Twenty years after it was published, it still has something of value to say on persistent cyber security problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. If you are not a cyber security professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful. Introduction The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, authors put their email addresses in their books, and when I finished reading it, I sent Mr. Stoll a note explaining how much I enjoyed his book. He answered immediately and forever made me a fan. Ever since, I have considered his book to be part of the cyber security canon,[5] books that every practitioner should read early in his or her educational development. But that was more than 20 years ago. I thought I would reread it to see if that was still true. Amazingly, it is. Besides being a window back through time to the beginning of our modern Internet age, Stoll’s book highlights many of the security problems that still plague us today. The Story The story itself reads like an Alfred Hitchcock movie. Joe Average-Man -- in this case, Stoll as a hippie-type systems administrator keeping the computers running at the Lawrence Berkeley National Laboratory just outside San Francisco[6] -- is in the right place at the wrong time. Like Cary Grant[7] and Jimmy Stewart[8] before him, Stoll is minding his own business when he stumbles upon a bit of a mystery that, when it all plays out, is much larger than he is. By tracking down a miniscule computer-accounting error, Stoll unraveled an outsourced, Russian-sponsored, international cyber-espionage ring that leveraged the Berkeley computers to break into US military and government systems across the United States. The book documents Stoll’s journey as he tries to get help from the US and German governments to do something about this serious threat that nobody wants to own. As the story unfolds, the reader also gets a fascinating glimpse at how the Internet looked just before it exploded into the commercial and cultural juggernaut that it has become today. But the book is not just about ones and zeros. If it is anything, it is also a love story between Stoll and his long-suffering mate, Martha. I say long-suffering because Stoll is the stereotypical absent-minded professor.[1][4] Martha was often annoyed with him as he traipsed off to his lab to see what was going on after one of his alarms or traps fired signifying hacker activity. But Stoll is so charming and the two of them are so sweet together that when they end up getting married at the end of the book, I could not help but cheer. Besides, he shared his not-so-secret chocolate-chip-cookie recipe. The interesting dichotomy at play in the book though is how Stoll deals with government authorities. In the book, he describes himself as a “mixed-bag of new-left, harmless non-ideology,” yet he routinely called, cajoled, and coordinated leaders and administrators in the NSA, the CIA, the FBI, and other government and military organizations--bastions of the near and far right. How Stoll gets his head around those two philosophies is fun to read. It is these interactions with the government that Stoll runs squarely into one of those persistent problems that we still have in the security community today: The government does not like to share. Stoll consistently ran into government bureaucracy: human-government vacuum cleaners who were eager to take any and all information that Stoll had in regard to his investigation but who were also unwilling to share anything that they knew in return. To be fair, the US government today is getting better at this information-sharing thing, but leaders are a long way from implementing a free-flowing information exchange. I am not sure it will ever get there.[9] The government’s reluctance to share is why it is important for like-minded organizations, like the federally encouraged Information Sharing and Analysis Centers (ISACs)[11] and the Defense Industrial Base (DIB),[12] to find ways to share information between member groups without having to rely on the government. Which brings us to the second persistent problem. As Stoll is wrapping up the book, he concludes, “After sliding down this Alice-in-Wonderland hole, I find the political left and right reconciled in their mutual dependency on computers. The right sees computer security as necessary to protect national secrets; my leftie friends worry about an invasion of their privacy.” If that is not the perfect summation of what is going on now with the Edward Snowden investigation, I don’t know what is.[10] The Snowden case is just the last one in a series of privacy-versus-security trade-off debates that the United States and other countries have made in the past twenty years.[16][17][18] As Bruce Schneier points out, this is a false argument: “The debate isn't security versus privacy. It's liberty versus control.”[16] He and other pundits highlight the fact that this is not an either-or decision. You can have security and privacy at the same time, but you have to work for it. In this book, Stoll was the first one I can remember who raised the issue. He struggled with it back then as we are all doing today. The third persistent problem is the cyber espionage threat. The commercial world only really became aware of the issue when the Chinese government compromised Google at the end of 2009.[13] The US military had been dealing with the Chinese cyber espionage threat (back then known as TITAN RAIN) for at least the decade before that.[14] But on CPAN’s Book TV program, Stoll claims that his book describes the first public case where spies used computers to conduct espionage, this time sponsored by the Russians.[4] The events in The Cuckoo’s Egg started happening in August 1986,[2][3] almost 15 years before TITAN RAIN, and some of the government characters that Stoll deals with in the book hint that they know about other nonpublic espionage activity that happened earlier than that. The point is that the cyber espionage threat has been around for some 30 years and shows no sign of going away any time soon. The Chinese government is infamous with its willingness to outsource some of its low-level hacker intelligence-gathering activities to nongovernmental hacking groups. Chinese leaders tend to use semiprofessional hacker groups within their own country for these activities and they have had a lot of success with that model. One reason for that success is that leadership does not appear to be overly concerned if these outsourced hacker groups get caught. There is enough plausible deniability between the government and the outsourced hackers, at least to this point, that the risk to the Chinese government is very small. No other countries overtly follow this cyber espionage model--not the United States, not Israel, not France, and not Russia. From Stoll’s book though, it is obvious that the Russians tried it at least once as far back as the late 1980s. They contracted with some German hackers to collect passwords and interesting research on US government systems. The fourth and final persistent problem is really not a cyber problem at all but an intelligence discipline problem. Throughout the book, Stoll struggles with the idea of whether or not to publish his findings. He describes the problem like this: “If you describe how to make a pipe bomb, the next kid that finds some charcoal and saltpeter will become a terrorist. Yet if you suppress the information, people won’t know the danger.” That is the classic intelligence dilemma. It goes directly to the Snowden issue today wherein the lefties are concerned about privacy and want transparency for all security matters. The righties value security over privacy and worry that transparency will give too much information away to the bad guys. In my heart, I think there is some middle ground that could be reached. Since 9/11, the United States has swung in the direction of security over transparency. I do not see that changing anytime soon. Stoll definitely comes down on the side of transparency though, but like I said, he is a self-described “mixed-bag of new-left, harmless non-ideology.” A Side Note On 3 November 1988, 34 minutes after midnight and almost a year after Stoll concluded his forensics investigation on the Russian-sponsored cyber espionage ring, Robert Morris Jr. brought the Internet to its knees.[15] He launched the first ever Internet worm, and for at least some days after, the Internet ceased to function as UNIX wizards of all stripes worked to eradicate the worm from their systems. Aside from the coincidental timing of the worm, the reason this is significant to this book is that Robert Morris’ father, Bob Morris Sr., was Stoll’s contact at the NSA during the investigation. He was one of those human vacuum cleaners taking in information but not giving any out. By all accounts, Bob Morris Sr. was a computer wizard in his own right,[2] and I have often speculated about how much his son picked up at the dinner table from his dad about the theoretical ways one might attack the Internet. The Tech The egg in The Cuckoo’s Egg title refers to how the hacker group compromised many of its victims. In turns out that the real-life cuckoo bird does not lay its eggs in its own nest. Instead, she waits for any kind of other bird to leave its nest unattended. The mother cuckoo then sneaks in, lays her egg in the unoccupied nest, and sneaks out, leaving her egg to be hatched by another mother. Similar to the cuckoo bird, Stoll’s hackers took advantage of a security vulnerability in the powerful and extensible GNU Emacs text-editor system that Berkeley had installed on all of its UNIX machines. At the time, Emacs allowed any user to copy any file anywhere in the system without asking for permission. The hackers used Emacs to overwrite the standard system command atrun with an altered version, a version that did everything that the standard version did but also elevated the hacker’s stolen user account to have system administrator privileges. Back then, the atrun command typically ran every five minutes to perform maintenance tasks on the system. Once the hackers laid the egg with Emacs, they just sat back and waited five minutes for the system to grant system administrator privileges to their user account. The spies performed a similar attack within the X-Preserve functionality in the VI Editor. It was a known security hole that, unpatched, copied files to any location on the system. Stoll had patched the hole, but many other government system administrators had not. The hacker’s survival depended on the ignorance of the system administrators who did not know about the Emacs and VI security hole. As Stoll said, “The survival of cuckoo chicks depends on the ignorance of other species.” On their own, Stoll, Martha, and their roommate devised a fairly decent counter-intelligence program. They needed a way to keep the hackers online so that the authorities in the United States and Germany could trace the phone connections to the origin point. The problem was that the hackers tended to get in and get out. Stoll and company needed a way to keep them online longer. Stoll decided that they would create volumes of phony documents laced with official-sounding topics that dealt with “classified” information. It worked. The hackers could not help themselves and eventually tried to download the entire cache, staying online for hours. The spy ring spent a lot of time trying to take over regular user accounts so that they could log in as those users and review the system without causing alarm. In one instant, after becoming a system administrator with the EMACs attack, one hacker opened up the system’s password file. He still did not know what the passwords were to all the users on the system because they were encrypted. Instead of trying to break them, he just erased one of them. He picked a specific user and erased the user’s password. When he logged in as that user later, the system would grant access since there was no password guarding the account. After a while, the hacker started downloading the entire password file to his home computer. Stoll later discovered that the hacker executed a brilliant new attack. He encrypted every word in the dictionary with the same algorithm that encrypted passwords and compared the encrypted passwords in the downloaded password file with the encrypted dictionary words. If he found any that matched, he could now log in as a legitimate user. Brute-force dictionary attacks are standard today, but back then, it was a new idea. Conclusion I can’t tell you how pleased I am that The Cuckoo’s Egg still holds up after 20 years. Being my first love and all, the old girl has aged quite well. Instead of playing Jimmy Stewart or Cary Grant in an old black-and-white favorite movie, Stoll fits quite nicely in a modern setting. The book still has something of value to say on persistent cyber security problems like information sharing, privacy versus security (if you are a rightie), or liberty versus control (if you are a leftie), cyber espionage, and the intelligence dilemma. This book is part of the canon for the cyber security professional. You should have read this by now. Sources [1] Speakers Clifford Stoll: Astronomer, educator, skeptic, by Ted: Ideas Worth Spreading, Last Visited June 19, 2013, http://www.ted.com/speakers/clifford_... [2] Comment: Re: Stoll's "Cuckoo's Egg" has some great anecdotes, by Cliff Stoll, June 30, 2011, Last Visited Jun 19, 2013, http://slashdot.org/~Cliff+Stoll [3] STALKING THE WILY HACKER, by Clifford Stoll, Communications of the ACM. May 1988, Volume 31, Number 5, Last Visited June 19, 2013, http://faculty.cs.tamu.edu/pooch/cour... [4] Book Discussion on The Cuckoo's Egg, by C-SPAN, October 1989, Last Visited June 19, 2013, http://www.c-spanvideo.org/program/Cuc [5] Canon, by Dictionary.com, Last Visited June 19, 2013, http://dictionary.reference.com/brows... [6] Berkeley Lab: Lawrence Berkeley National Laboratory, U.S. Department of Energy, Last Visited June 19, 2013, http://www.lbl.gov/ [7] North by Northwest, IMDb, Last Visited June 19, 2013, http://www.imdb.com/title/tt0053125/ [8] Rear Window, IMDb, Last Visited June 19, 2013, http://www.imdb.com/title/tt0047396/ [9] Edward Snowden: the whistleblower behind the NSA surveillance revelations, by Glenn Greenwald, The Guardian, 9 June 2013, Last Visited 23 June 2013, http://www.guardian.co.uk/world/2013/... [10] Help Me Obi Wan – You’re My only Hope: Three Cyber Security Innovations to Give You Courage, by Rick Howard, Terebrate, 10 June 2013, Last Visited 23 June 2013, http://terebrate.blogspot.com/2013/06... [11] Executive Order on Cybersecurity ... PDD 63 Deja Vu, by Warren Axelrod, BlogInfoSec.com, Information Security Magazine, 9 April 2013, Last Visited 6 June 2013, http://www.bloginfosec.com/2013/04/09... [12] Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities, Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer, 19 January 2010, Last Visited 6 June 2013, http://www.dtic.mil/whs/directives/co... [13] Google attack part of vast campaign, By Ariana Eunjung Cha and Ellen Nakashima, The Washington Post, 14 January 2010, Last Visited 23 June 2013, http://articles.washingtonpost.com/20... [14] Inside the Chinese Hack Attack, By Nathan Thornburgh, Time, 25 August 2005, Last Visited 23 June 2013, http://www.time.com/time/nation/artic... [15] The What, Why, and How of the 1988 Internet Worm, By Charles Schmidt and Tom Darby, July 2001, Last Visited 23 June 2013, http://www.snowplow.org/tom/worm/worm... [16] Security vs. Privacy, by Bruce Schneier, Schneier on Security, 29 January 2008, Last Visited 24 June 2013, http://www.schneier.com/blog/archives... [17] Nothing to Hide: the False Tradeoff between Privacy and Security, by Daniel Solov, Yale University Press, 2011, Last Visited 24 June 2013, http://papers.ssrn.com/sol3/papers.cf... [18] Security vs. Privacy: The Rematch, by Jennifer Granick, Wired, 24 May 2006, Last Visited 24 June 2013, http://www.wired.com/politics/law/com... References Deep Black, by William E. Burrows, published by Berkley Books, 1986 GNU Emacs, GNU Operating System, Last Visited June 19, 2013, http://www.gnu.org/software/emacs/ The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, by David Kahn, published by Scribner, 5 December 1996 The KGB, the Computer, and Me, PBS Nova, Last Visited June 19, 2013, http://www.youtube.com/watch?v=EcKxaq... The Puzzle Palace: Inside the National Security Agency, America's Most Secret Intelligence Organization, by James Bamford, published by Penguin Books, 23 September 1982 Unix System Security, by Patrick H. Wood, Stephen G. Kochan, published by Hayden Books, 1985 West Germans Raid Spy Ring That Violated U.S. Computers, by John Markoff, The New York Times, March 3, 1989, Last Visited June 19, 2013, http://www.nytimes.com/1989/03/03/wor... ...more |
Notes are private!
|
2
|
not set
not set
|
Jul 1989
not set
|
Jun 09, 2012
|
Paperback
| |||||||||||||||
0307588688
| 9780307588685
| 0307588688
| 3.97
| 7,937
| Feb 22, 2011
| Feb 22, 2011
|
it was amazing
|
See the Full review at my blog site: http://terebrate.blogspot.sg/2014/02/... Kingpin tells the story of the rise and fall of a hacker legend: Max Butl See the Full review at my blog site: http://terebrate.blogspot.sg/2014/02/... Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI undercover sting operation called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the highlights of this cyber criminal underworld, but Poulsen is able to provide a lot of detail about how this world functions that is understood by mostly only the cyber criminals themselves and the law enforcement officials who stalk them. Because of that, Kingpin is cyber-security-canon worthy, and you should have read this by now. ...more |
Notes are private!
|
2
|
not set
not set
|
Feb 21, 2014
not set
|
Jun 09, 2012
|
Hardcover
|
Loading...
14 of 14 loaded