Wednesday, March 24, 2010


This seems to be my month to try out new tools (Jim Clausing would be happy with me), and I'm running another new one as I speak. This one is a web vulnerability scanner called skipfish. It runs on Linux, FreeBSD, MacOSX or Windows, so I'm, of course, running it on one of my *nix test boxes (I don't do security tools on Windows if I can help it). Downloaded the tarball, extracted it, and compiled after installing the one dependency the README said I'd probably need, GNU libidn (funny thing, how reading that documentation always seems to make these installs go smoother!)
I'm running it against a NetSec box, so I created an empty dictionary and used -L to disable brute forcing of extensions it found, which if I read the docs right, means I'll just get a nice crawl the first time through. Anyway, it's been mentioned on the SANS lists and even posted on the Storm Center diary. That in of itself is enough of a recommendation that I'd give it a test run, if you need a web test tool (maybe a pen tester or you're responsible for hardening/protecting web servers).
Get it here if you're interested...

Friday, March 19, 2010

Cyber Security Act Part 4

The Cybersecurity Act has been reworked again, removing the so-called "kill switch" for the president, which would have allowed him to shut down key infrastructure segments under attack. Instead the new version requires the White House to work with the private sector to determine critical networks and how they should be protected. Details on the Post found here.

Friday, March 12, 2010


I recently took BotHunter, found here, for a test drive. I fortunately already had a test box with an interface monitoring a segment I could use, so it was simply a matter of download, install, done.
Set up couldn't be any easier. The java-based installer does all the heavy lifting for you, compiling the binaries for BH, installing a customized version of snort, and using rpm to download any dependencies needed. It then prompts you for ranges of your internal networks, any DNS servers, mail servers and the like to add context to it's results.
It has a GUI console if you prefer, but you can also administer and monitor it via command line. It uses a weighting system, which is covered in-depth in the docs, to produce a score depending on events it's observed from the host. The higher the score, the more likely the box has been popped and is part of a bot net. Anything over .8, it flags for your attention.
It's free, of course, from SRI International, though it's not open source and they retain all rights over the software. You can choose to upload your results to their repository, adding the the overall knowledge of botnets and help fight the good fight, or you can choose to keep your results local if there would be issues with that. The install even helpfully offers to install Tor, if you would like to upload your results anonymously.
I wouldn't recommend doing this in a corporate environment, for obvious reasons, but for other places like a home network, research lab or NetSec vendor, adding to the overall info helps the community as a whole. Which is why, by the way, you should participate in DShield if you're not already. (

Mum's The Word

The firing of the State of Pennysylvania's CISO, for discussing a system breach in the states online driver exam scheduling system is a sober reminder to never, ever discuss security incidents unless you're been expressly given the OK. In writing. By someone who has the authority to authorize that. Incidents are usually the realm of the companies public relations department and decisions are made at the C-Suite level. Ouch. That little indiscretion cost him what was probably a decent gig. Details here.

Tuesday, March 9, 2010

A Moments Reflection

I'm coming up on my 10th anniversary in Network Security, my 15th in Information Technology.
I moved, abruptly, from being the head of a desktop support team to NetSec, in a day. Probably not the usual path one takes to security. I think these days most start out in that area from college, or move over from Infrastructure or the Server Team.
There were no information security people on staff when I moved over. None, in any area. No one had any idea what I should do or even where to find out. So I became a generalist in every area, as well as having to build up each new area from the ground up, with no experience, no help and no training. I didn't get to my first training conference (SANS) until 2002, two years into my new duties.
I got IDS off the ground, then moved on to vulnerability testing, anti-virus, content monitoring, and centralized logging. I wrote policy, procedures on hardening servers and applications, did threat research, incident response and even a little end user awareness writing. Probably others I can't recall.
For all the negatives there are in never getting to specialize in one area (and consequently becoming a SME, at least to your company), I think all the exposure to different tools and technologies helped some too. Even though sometimes the "jack of all trades" gig gets old, it's instilled a confidence in me I'll never lose. I can dive head long into a new project, even if I know nothing about it at the outset, believing I can get myself up to speed eventually and accomplish what needs done. I've done just that many times out of necessity.
That role, for me, is quickly coming to an end. I'll soon be transitioned out of my generalist duties and into a more siloed position. My old company was bought by a new, much larger company and our migration to the new networks and ways of doing things are in full swing.
That said, if you're just getting started or will be soon, the way I see the industry going, my opinion would be to specialize. I don't see in the future how very many companies, except the very small ones will be able to get by with a generalist like I was. Find out what what really interests you, and hit it hard until you've mastered it. You'll make yourself very valuable to a team some where, and you'll go to work each day and do what you love and love what you do.
Diversification is great for stock portfolios, in my opinion. For network security people, not so much.

Blog Archive