Medium Difficulty Security

I have been thinking about the PaulDotCom argument that good security is hard. Obviously it is. Application Whitelisting is way harder than AntiVirus from a deployment perspective. I’m going to try some compromises that are medium difficulty. My goal is for these to be a stepping stone towards the hard changes.

My first change is implementing honey IP ranges and honey DNS entries as a stepping stone towards full honeypots. I’ve already got the easy monitors for network scanning. They are pretty worthless. I entered requests to get a couple blocks of IP ranges reserved across the network. I asked for ranges mixed in to various user environments, server evironments, etc. I’ve also got DNS entries reserved. Some are straight from the dnsrecon list, others are custom based on the business as well as key employees. I don’t have honeypots yet, but this seems like a decent start.

My second change is that I’m investigating web filter whitelisting for non-standard domains. I’ve already got the dynamic services (no-IP, dyndns) blocked with a few exceptions. My next step is going to be to do the same for the under-used TLDs. If it isn’t com, net, edu, gov, or mil, I am considering a whitelisting approach. So for instance, we have no business in Libya. Ly will be blocked with the exception of bit.ly.

DerbyCon 2013

My trip started out rough.  The guy I was supposed to stay with fell ill and couldn’t make it.  I ended up staying across the river in Clarksville.  I’d advise against it if you like to walk.  I didn’t feel safe walking back at night.  I stopped at the Buffalo Trace distillery on my way down.  It was a nice tour.

This year’s DerbyCon was very nice.  The crowd was a little bigger than last year.  I had trouble getting in to a couple talks this year.  I do not remember having that issue last year.

I was a lot more social this year.  I attended Hacker Family Dinner hosted by Tottenkoph, BourbonCon, and the Saturday party.  I’d highly recommend Hacker Family Dinner and BourbonCon.  They were quality events.  I got to meet a lot of people.

There were two tool talks I wanted to attend.  I did not get to attend either.   The talks were packed.  The first was the Malware Management Framework talk.  I had watched the original talk at BSides LV and wanted to see the follow up.  I also wanted to see John Strand’s talk on ADHD, the Active Defense Harbinger Distribution.  MMF was a demonstration of a new tool for detecting malware on systems.  My understanding is that ADHD is an active defense tool.

Josh Corman’s talk on The Cavalry is Us should have been the keynote.  The keynotes were both on the Internet Of Things concept.  Other talks mentioned the Internet Of Things.  I think Josh summarized it the best.  We are getting worse faster than we are getting better.  The other way he stated is that our dependence on software is growing faster than our ability to secure it.

Josh had an excellent graphic I’m going to have to use the next time I ask for an advancement in the security posture at work.  The graphic had cost, complexity, and risk in the center with five arrows pointing to it.  Evolving Threat, Evolving Technology, Evolving Business, Evolving Economics, and Evolving Compliance were the arrows.  It seems like an extremely strong argument for why we need to keep moving forward.  I had previously tried the Red Queen hypothesis, but that fell flat.  I guess upper management doesn’t respect C. S. Lewis nor evolutionary biology.

And with that, the conference year is over for me.  My next conference related post will be ShmooCon next year, assuming of course that I manage to get a ticket.