One of the selling points around virtualization is about its perceived added level of security.  But virtualization, like any other piece of software can be implemented incorrectly, and itself have flaws. 

Last year, NIST came out with SP 800-125, Guide to Security for Full Virtualization Technologies.  The guide is intended for system administrators, security program managers, security engineers and anyone else involved in designing, deploying or maintaining full virtualization technologies.

NIST SP 800-125 recommends organizations do the following:

• secure all elements of a full virtualization solution and maintain their security
• restrict and protect administrator access to the virtualization solution
• ensure that the hypervisor, the central program that runs the virtual environment, is properly secured
• carefully plan the security for a full virtualization solution before installing, configuring and deploying it

All good items to do; but at 25 pages, SP 800-125 is clearly inadequate to cover all of the details around how to securely use virtualization.  With that, Securing the Virtual Environment: How to Defend the Enterprise Against Attack, by Davi Ottenheimer and Matthew Wallace is a great new book that that provides a comprehensive overview on how to secure systems and defend against attacks on virtualized environments.

The book takes a very strong approach that in order to secure virtualization effectively, one needs to understand how adversaries will attack a virtualized environment.  The authors provide numerous details on how to precisely do that.

The book is a highly technical guide meant for those designing, deploying and administering virtualized systems. At 400 pages, the books 10 chapters provide a wealth of information to secure virtualized systems.

Chapter 5 on Abusing the Hypervisor is perhaps the best chapter in the book and the most important topic regarding virtualization security.  The hypervisor is the software, also called the virtual machine manager (VMM) that manages the entire virtualization environment.  Malware will often attack the hypervisor in order to gain control. 

The book also contains an appendix on how to build a virtual attack test lab.  It details the components of the virtual penetration testing lab, including how to build the gateway, Xen hypervisor and KVM, and how to build the cloud stack.

The accompanying DVD contains code and scripts from the book and also contains a Ubuntu 6 virtual machine, pre-loaded with various network security tools.

Chapter 1 on virtualized environment attacks is freely available here.  After reading that, most readers will likely want to read the entire book, and they should.

Anyone who is serious about virtualization security should certainly make sure that Securing the Virtual Environment: How to Defend the Enterprise Against Attack is on their reading list, and that of every security administrator in their company.

Documenting the heroism that was displayed on 9/11 and weeks following will eventually fills volumes.  Many gave up their lives trying to save others; and due to the toxic dust at Ground Zero, many of the rescuers are now dying a slow death.

While 9/11 brought out the best in many, in some limited cases, it brought out the very worst.  In The Woman Who Wasn't There: The True Story of an Incredible Deception, authors Robin Fisher and Angelo Guglielmo detail the story Tania Head, a woman who said she was a survivor of Tower 2, when in fact she was in business school in Spain on 9/11.

Head joined the World Trade Center Survivors' Network support group and a short while later became president of the group.

Now that April 15 has past and tax returns are being processed, there are many stories of tax refund fraud affecting many innocent people.  While such crimes are reprehensible, most of these victims will likely receive their money. What is so evil about what Tania Head did, is that she purloined people who were victims in need of consolation, and in her sociopathic quest for validation, lied to them.  These lies spanned the course of years.

The survivors of 9/11 whose faith in humanity had been shattered, but who had risked trusting again and had chosen Tania to lead them out of the abyss, were left wondering how should could do what she had done.   She deliberately chose the most vulnerable people and exploited them by making up a tale so terribly heartbreaking that they couldn’t do anything but trust her, because her story was the saddest of them all.

The story that Fisher and Guglielmo so eloquently tell is both fascinating and heartbreaking.

Most books like this would include a number of pictures of the subject at hand.  My supposition is that that author’s purposely left out pictures of Ms. Head as not to predispose the read. 

Head did not look like a typical conniver, but indeed was a master manipulator. Since she appeared so legitimate, so sincere, and the story she told so compelling, no one initially thought that her story, while heartbreaking, was anything less than true.  The reality is that Head’s hog-like demeanor was simply a manifestation of her utter narcissist personality. 

Her undoing came just days before 9/11/2007, in a New York Times story that exposed her fraud.   After that point, Head was dismissed as head of the World Trade Center Survivors' Network, and has not been heard from since.

In the vernacular of information security, Tania Head was a type of social engineer.  In the book Social Engineering: The Art of Human Hacking, Christopher Hadnagy details how attackers use social engineering techniques to manipulate people into performing actions or divulging confidential information.

While Head did not gain any financial benefit via her deception, what she was gaining was a sense of self-worth and importance, at the expense of other people’s trust and emotions.  True, she likely violated no law, but from a moral perspective, violated the very tenets of human trust.

The Woman Who Wasn't There: The True Story of an Incredible Deception is a fascinating book.  If you do choose to read it, and you should; block out about 4 hours of your day, as once you start it, you won’t be able to put it down.

While Julius Caesar likely never said “Et tu, Brute?” the saying associated with his final minutes has come to symbolize the ultimate insider betrayal. 

In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an  abundance of empirical evidence, which creates an important resource on the topic of insider threats.  There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them.

The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade.  The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic.  The threat center has investigated nearly 1,000 incidents and their data sets on the topic are unrivaled.  With that, the book truly needs to be on the desktop of everyone tasked with data security and intellectual property protection.

The book provides a unique perspective on insider threats as the CERT Insider Threat Center pioneered the study of the topic, and has exceptional and empirical data to back up their findings.  While there are many books on important security topics such as firewalls, encryption, identity management and more; The CERT Guide to Insider Threats is the one of the first to formally and effectively tackle the extraordinary devastating problem of trusted insiders who misappropriate data.

In the introduction, the authors write that a common misconception is that insider threat risk management is the responsibility of IT and information security staff members exclusively.  The reality is that it is the responsibility of senior management to ensure that there is an overarching program to deal with insider threats at the enterprise level.  Surpassingly and shockingly, far too few organizations have insider threat programs in place, and the book has scores of stories and case studies on those organizations that have become victims.  While senior management created information security solutions to secure the perimeter; they were oblivious to the data leakage emanating from the interior network.

The authors reiterate that it is critical that all levels of management recognize and acknowledge the threat posed by insiders and take appropriate steps to mitigate malicious insiders.  While it is impossible to stop every attack, what management can certainly do is build resiliency into their organizations infrastructure and business processes.  This enables the organization to detect the attacks earlier and minimize the financial and operational impact.  The book provides the specific details on how an organization can precisely do that.

In 9 detailed chapters and 6 appendices, the book provides a comprehensive and exhaustive analysis of the problem and menace of insider threats. After completing the book, one is well-prepared to initiate an insider threat program.  The book provides examples of insider crimes from nearly every industry segment and ample data to share with management to convince them that the threats, both to their intellectual property and corporate profits, are very real.

After a high-level overview of the topic in chapter 1, the next chapter gets into the details of insider IT sabotage.  While some think that stopping IT sabotage is next to impossible, the authors detail and have identified distinct patterns in nearly every IT sabotage case.  The book details those patterns and also presents mitigation strategies, both technical and non-technical, to deal with those threats.

The chapter provides fascinating insights into how these crimes are carried out.  The authors note that by their very nature, these attacks require technical sophistication and privileged access and are usually carried out by sysadmins, DBA’s and programmers.  A surprising CERT finding is that the majority of the attacks occur after the insider has been terminated or quit the organization.  Part of the problem is that many organizations don’t have a process in place to immediate terminate access when a worker resigns or is fired.  In addition, 25% of the cases were carried out by full-time contractors.

Chapter 3 provides an intriguing look at the issue of insider theft of intellectual property (IP).  Any firm that has a sizable amount invested in their IP (i.e., anything you can put on a USB stick) needs to take this chapter to heart.  One of the many misconceptions CERT research has uncovered on this topic is that sysadmins are indeed not the biggest threat to IP, even though they have complete access to networks, systems and data.

According to the CERT data, they have not found a single case in which a sysadmin stole IP.  Rather the biggest threat to IP is insider theft by scientists, engineers, programmers or salespeople.  Also, CERT found that about a third of the IP cases were carried out for the benefit of a foreign government of organization, with China having more cases of IP theft than the other 9 countries combined.

Given the nature of China and its appetite for data theft, the book is surprisingly silent on specific suggestions in which to deal with threats from China.  I would have liked to have seen at least a chapter dedicated to this topic. 

The chapter continues and provides detailed lists of issues leading to job dissatisfaction that can lead a trusted employee or contractor to commit IP theft, and provides detailed steps on what companies can do to stop it.

Chapter 4 details everything you need to know about insider fraud.  A fascinating statistic detailed is that the average insider fraud crime spans about 15 months, with half of the crimes lasting 5 months or more. The authors write that insider fraud is typically a long and ingoing crime.  All of this is happening, over the course of months and years, and the organizations being pilfered are oblivious to it.

The book is worth reading for chapter 6 alone, which details best practices for the prevention and detection of insider threats.  The best practices in chapter 6 give the reader a framework for establishing an insider threat program.  Many of the best practices detailed are elements of a good security program, so they should not be news to anyone.  Some of the best practices include: security awareness training, physical security controls, separation of duties, and perhaps the most blatantly obvious suggestion of them all: deactivate access following termination.

Another fascinating fact detailed in the book is that almost all insiders involved in acts of IT sabotage displayed behavioral indicators prior to committing their crimes.  Some of those indicators include: conflicts with coworkers or supervisors, improper use of data assets, sanctions and rule violations.  Organizations that act on these precursors can prevent the insider crimes from taking place.

Aside from its lack of coverage on how to specifically deal with the China threat, the only other lacking in the book is that in all of the examples and case studies, even those whose breaches are publically known, organizations are not mentioned by name. 

According to author Dawn Cappelli, Technical Manager at the CERT Insider Threat Center, they took that approach based on interviews for approximately 230 of their cases, with prosecutors, investigators, victim organization, or convicted insiders.  In those interviews they guaranteed confidentiality of the information they obtained.  Therefore, CERT considers the success of their research directly related to their reputation in the community for being trustworthy for maintaining confidentiality. While there reasoning makes sense, anonymous case studies are often unsatisfying

Insider threats are pervasive and undisputable. Organizations such as the CERT Insider Threat Center and individuals like Antonio Rucci provide vital services evangelizing about this critical topic.  This entertaining video of Rucci from DEFCON 17 is a great primer on the topic.

Most of the firms who fall victim to insider threats are oblivious to them as they occur. The book details effective and operational security practices which can help every organization create an insider threat program to counterattack the majority of insider attacks.

When it comes to insider threats, the only way to avert them is to have a prevention program in place.  In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, the authors have created an invaluable guidebook, with myriad details in which to enable the reader do that.  The facts around insider threats speak for themselves.  Anyone charged with protection of corporate data should ensure this book is on their required reading list.  If not, and they fall victim to an insider attack, they have no one to blame but themselves.

Just got a copy of Security Strategies in Web Applications and Social Networking.  Not the newest book around, but it still is quite relevant.

The book details how to securely design and deploy web applications.

In just under 400 pages, it covers a lot of the core aspects of web app security, including a significant emphasis on mobile devices.

The book is extremely detailed, very organized and provides a good balance of information, including technical details and implementation guidelines.

Looks to be a really good book.

Full review to follow.

In IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job, the authors cover core information security topics, and then pose various questions that may come up in the course of an interview.  Some of the areas covered are network and security fundamentals, firewalls, regulations, wireless, security tools, and more. 

The book is a standard interview preparation guide, with a focus on information security.

Last week, Gal Shpantzer, in a moment of levity, wrote a blog post We Didn't Start the Fire(wall), set to the tune of We Didn't Start the Fire by Billy Joel.

The highlights of Gal’s prose are as follows:

Hacktivism, PGP, Red China, Entropy

BlackBerry, Neuromancer, PageRank SEO.

Dan Kaminsky, Richard Nixon, Studebaker, Max Vision

Red Pill, Blue Pill, CISSP.

RADIUS, Logic Bomb, Pain Ray, Johnny Long

Gene Schultz, The King And I, when do we stop SQLi?

Robert Morris, Vaccine, England's got the same queen

DVD Jon, Liberace, Operation Bot Roast.

Chorus: We didn't start the firewall

It was always burning

Since the URL’s been turning

We didn't start the fire

No we didn't light it

But we tried to fight it.

Pirate Party, Rybolov, Nimda and CSRF

Blaster LoveBug, John The Ripper, Communist Bloc

SRI, BBN, PDF bugs round the bend,

D-N-S Fails, Synchronize the Clocks.

Stuxnet, LASER Beam, BSides’ got a winning team

Hoffacino, Xerox PARC, Kristin Paget, Bletchley Park.

Lycos, LulzSec, Altavista, Cuckoo’s Egg

Freedom Frisk, Howard Schmidt, Paris Hilton’s Sidekick.

Cyber Storm, AirCrack, Mickey Mantle, ENIAC

Mitnick, System High, It’s the year of PKI

Keyloggers, Stacheldracht, Operation ShadyRAT

BitLocker, SecuTwits, Sony-BMG Rootkit

SE Linux, @Beaker, EFF, Mafia

SIPRNET, Lamo, Ripco is a no-go.

U2, WikiLeaks, IANA and IRC

Securosis, RAND Corp, Hacker’s Manifesto

Zimmerman, LANMan, Stranger in a Strange LAN

Webcam, KLM, APT invasion

(David) Bell-Lapadula, Foursquare check-in mania

Vint Cerf, Trojans, GPUs make BitCoins

JavaScript, Active X, British Politician sex

RSA: Blown away! What else do I have to say?!?

Chorus

451, brute forcing, Kerberos is back again

Pick locks, teraflops, Captain Crunch, DevOps

Begin, Reagan, Cross Domain, hackers bringing Titan Rain

Ayatollas in Iran, US in Afghanistan

9/11, Sally Ride, Biba Model, suicide

Foreign debts, homeless vets, AIDE, Crack, iOS

Got collisions in the SHA, China's under martial law

BYOD, browser wars, I can't take it anymore!

Chorus (2x)

Most of the people I shared this with got a kick out of it.  While Shpantzer won’t be quitting his day job anytime soon in pursuit of a Grammy, I think his lyrics make a great hiring tool to be used in the interview process. 

While Shpantzer meant this as a comic relief vehicle, I think he might be onto something much bigger. Here is my idea, next time you are going to interview someone for an information security spot, don’t obsess on their resume; rather show them We Didn't Start the Fire(wall) and ask them to explain them.

The (ISC)² CBK (common body of knowledge) is a taxonomy used as a basis for the CISSP exam.  It is a collection of topics relevant to information security professionals around the world. It establishes a common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding. 

Shpantzer created his own CBK and if the job candidate can adequately explain We Didn't Start the Fire(wall), then they likely have a good handle on information security.  It covers everything from encryption, malware, certifications, industry personalities, to industry conferences, hacking tools, protocols, hardware, operating systems, vulnerabilities and much more.

Of course, if too many people take my advice, then we would see the beginning of We Didn't Start the Fire(wall) boot camps, prep guides, books, cheat sheets, seminars and more; which would obviate the efficacy of it as a testing tool. 

But if that would happen, Shpantzer would likely have by then written We Didn't Start the Next Generation Fire(wall).

Just got a copy of Cyber Attacks: Protecting National Infrastructure by Edward Amoroso, Chief Security Officer at AT&T.

The book notes that the US lacks a coherent technical and architectural strategy for preventing cyberattacks from crippling essential critical infrastructure services.

The goal of the book is to start a dialogue amongst the general technical community around proper methods for reducing national risk.

Amoroso is one of the most pragmatic and provocative members of the information security community and this looks to be a valuable resource.

Full review to follow.

In the 1800s, workers who became known as Luddites protested against machinery that cut the need for their own physical labor, and the name has since become synonymous with opposition to technological progress of any kind.

Today’s Luddite would likely protest what the Internet has brought. In fact, the first 200 pages of Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks has enough real-life horror stories to convince a significant number of people that the Internet’s technological prowess comes at too high a cost.

Numerous stories in the book describe how the Internet is being used to destroy brands, reputations, and people’s well-be­ing. These incidents range from inappropriate use of Facebook and blog postings to bogus Wiki­pedia entries to blatant Internet-based character assassination, and much more. The book familiarizes readers with terms such as “silent slashes,” “evil clones,” and “jihad by proxy” as the authors describe the “seven swords of digital assassination” that damage entities’ reputations.

But the book does more than scaremongering. In chapter 11, the authors write about the “seven shields of digital assassination,” or the main ways organizations can protect themselves. The authors go into great detail on how an organization should respond to online attempts at character assassination.

Other valuable topics include optimizing reputation and a strategy for digital defense. The authors list many Web sites that can be used to help discover what is being said about an organization or professional on blogs, message boards, and other locations. The authors also provide an effective overview on how entities can use social media to assist in image management.

The original Luddites couldn’t stop the industrial revolution, and no one can stop the digital one. The only logical response is to adapt. Just as any business executive would ensure that the company’s physical perimeter is secured, so too must today’s executive ensure that the company’s online presence is secured. For those serious about a way to do that, Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks should be required reading.