Silicon Shecky

IT News, Reviews and Thoughts

Connect

Cyclical

By Leave a Comment

There was a new Intel flaw announced this week dealing with Floating Point Calculations and Math processing. You would think it would take longer than 24 years for intel to have another Floating Point issue.

Now, I am not saying it is the same type of flaw, but the general public won’t understand that, at least those that remember the 1994 flaw. Back then it was actual mathematics that failed. This time is is the registers that can have data swiped from them. It got me thinking about security and security flaws.

Last year EternalBlue was announced. It reminded me of the days of code red in the way it wormed around using old flaws. We keep seeing cross site scripting, cross site forgery, SQL injection and others go in and out of style. How cyclical is security and why does it seem to be so?

The answer may be as simple as we can only focus on so much at once. We see attacks of a certain style happening, we learn about them, learn how to defend them and forget about other types of attacks that are not really being used. We figure our governance on how to prevent them is still being heeded, so we lose sight, until that style of attack becomes hot again. Same is true about flaws. In our fast paced, need it now, first to market society something has to give. A human can only do so much. Yes, we have tools that should find what we call the low hanging fruit, the items we are not focusing our direct energy on, but these are only tools, and if we ignore the reports they generate, we miss out.

The other way we miss out on the reports generated is with too much noise in those reports. This is one of the biggest flaws I see. You get a tool, and it generates so much noise that it becomes useless. We only have so many eyes and so much time so we just naturally start dismissing everything. It does not matter if the tools are meant to find bugs in code, security holes or monitor for security events, we get false positive fatigue. We have to make exceptions on top of it all in order to allow our companies to do their work and make the money so they can pay us and we can stay employed. Tools are supposed to help with all of that, and by tools I mean software and hardware. The issue there comes in that nothing is a one size fits all.

The tools leave us with a couple other problems. They become too unwieldy to manage or tune, or just a bad, do not allow the granularity to tune them as needed. It takes time, time away from us doing other things that are important, such as going through the latest scans, checking hardening standards, learning about the equipment we have. Instead what was though of as a 6 month deployment turns into a 2-3 year deployment. By the time the deployment is done there are new tools that are being used, perhaps even in your environment that cause the same tuning problem.

We burn out from it all. You might think this could be handled by hiring more of us, by getting more people into the field. That is only part of the answer though. The other part is understanding what level we really need people in. Where we need more people is in the “entry level” analyst type roles. Companies are crying about the shortage of mid to high level people out there, but if they focused on bringing in more of the entry level, they could groom those people to move up and have more eyes on those noisy logs and reports. Give those analysts a chance to learn in their position so they can take the next step. Instead we have fewer eyes on the problem. This is not even taking into account the culture that drives so many away from our field. The sexist, racist, elitist situations that drive some very smart and capable people away. Yes we have a pretty strong community but our field is not just our community that talks to each other, and even there we have issues. Those issues keep cycling back around from how we treat people with not as much knowledge, to how we treat people who look at problems differently, and even how we treat people we disagree with. The sexism is not cyclical, it is a constant. It use to be cyclical though, at least how and when it was brought up. I fear how constant it is makes it become background noise to many, when it should not, but that is for a post and discussion of its own.

So the question is how do we break from this vicious set of cycles? Some thoughts have been proposed about, such as focusing on generating more entry level positions and then mentoring people up through the tuning projects you have. Outside of that, better made tools, that allow us to do what we want with them. Ones that have the granularity and the ability to be easily tuned for noise. We need to learn from the past and realize that just because something is not being used widely now, does not mean it will not be in the future again. There are only so many ways to do things, and while that can be a large number, we are lazy, and will go back to the simplest way we can find.

Finally, we need to stop thinking we are better than each other and other people. We say that people are the biggest security hole. Just remember that we are part of that hole just as much as the secretary, or the neophyte in the field or the CEO. We are fighting from inside the hole and holes are normally circles.

 

Lack of Control?

By Leave a Comment

You get a tool to use. The tool looks good, in fact other tools from the same company look good. This tool though seems to be the red-headed stepchild.

Recently, I have been trying to clean up and tune an endpoint solution. It is made by a company I have some respect for, and I had seen in the past. The tool itself seems to work well. The problem, like with so many tools, is getting the best data out of it. The signal to noise ratio on the monitoring aspect is huge! The threat detection and prevention works well enough, but the amount of data to sift through on data that is just being brought in for you to monitor is difficult at best. The issue is a fine line between being able to warn about a potential threat and knowing what normal behavior is. The example I will use here is opening known PDFs. These are seen as an application, each with their own hash by said product, for scanning purposes. All fine and dandy, but when the PDF is opened, certain executables that get called cause a trigger for a monitoring alert to be made. These executables are known and trusted applications (part of the PDF reader), but due to the unknown nature of the PDF, they come up as an alert for running the executable. This creates a ton of noise in the alerts area. The problem is there is no real way to tune out these alerts, as the product is set up now, without risking not seeing alerts that one might need to check on. It makes the monitoring alerts useless, unless you feed the data to a SIEM where you can do the filtering. The kicker is customers have been complaining in the user forums about this for over a year now, and still nothing has been officially announced as being done. The rumor is they stealth fixed this in an update to the product, but there is nothing in the release notes. So in the mean time, I have to go through and keep the alert area clean of the noise, which eats into my time to do other things. A company my size it is nowhere as bad as what could happen in a huge company with tens of thousands of endpoints.

Situations like this can leave a bad taste in the customers mouth. Companies get so overprotective of certain things, and hate admitting mistakes. Personally, I would rather a company be up front and over communicate what is going on with an issue such as this. I am more likely to recommend a company that is upfront and honest, and has good communication with a not quite as mature product than a completely mature product but hides from their customers, especially the smaller ones. They need to remember that while the larger companies bring in the greater money, attackers tend to move from the smaller fish into the bigger ones, therefore showing attention to the smaller companies gives you a good reputation with the larger ones.

Simple Post

By Leave a Comment

Quick post this week, just to keep posting. With starting a new job this week, I haven’t had the time to really work on an idea for a post. That being said one thing did cross the Twitterverse this week that I wanted to weigh in on.

Seems there is some controversy over a shirt worn by someone presenting at a conference. The shirt which had a woman in a more sexual pose (boobs showing? I could not see the picture well) has again divided the community. The big thing here is that most people I know do not see a problem with the shirt in a general sense, the deem it inappropriate to be wearing while on stage in front of people speaking on a topic. Agreed unless the shirt directly related to the topic being discussed. As a speaker you are representing yourself (and possibly the company you work for as a lot of speakers put that information in their slide deck), and this shows poorly on a professional level. Sure, it might be a small hacking con, and in the world of hackers who cares. Reality is different though. When speaking show some decorum please. It makes it easier for people to take you seriously. I am not saying you need to be dressed up, t-shirts are fine. Just something that is not going to cause a fuss or embarrassment to your employer or to the con. It is not that difficult to do.

Now that I have gotten off my soap box, those going to CircleCityCon this weekend, have a great time. If things go well I will see you all there next year.

I also recently did put in a CFP for DerbyCon so we can see if that flies. If not, I will do it again next year. While constantly trying advances to date someone is frowned upon, constantly trying in a lot of other things in this world is smiled upon. This talk I put in for is not a technical talk, but a soft skills talk so it will be interesting to see if it gets accepted.

Until next time, remember this time!