Revolution
On this 4th of July, I find myself wondering if a revolution is about to occur in the information security arena. Is the policy based compliance model going to be overthrown by the risk-based protection model? What are the ramifications? Are most CIOs aware or even ready for such change?

Technological Upheaval
Ground breaking innovations often causes some form of upheaval. Most folks are familiar with the story of Robin Hood and his band of merry men. Another group living in the Sherwood Forest area, though later around 1811, were the Luddites. These men from the past have a great deal to teach us concerning the ramifications of revolutionary technological change. The Luddites were highly skilled and quite well paid croppers (men who worked cloth). Their job was to cut the cloth after it had been raised with shears. These shears weighed 40 lb and were 4 feet long. Their world was turned upside down by the introduction of the water powered shearing frame. This new technology was simple enough that it could be operated by an unskilled worker, taking under a quarter of the time.

Luddites fought back by breaking into factories at night and destroying the new machines. In a three-week period, for example, over two hundred stocking frames were destroyed. While this may not be as exciting as Robin Hood, just as in that story the heavy hand of the government came down on the Luddites. The Frame Breaking Act made machine-breaking a capital offense. In Yorkshire in 1812, over 12,000 soldiers were brought in to keep order. Roundups of hundreds of men occurred. Some were deported to penal colonies and others were executed. At one point seventeen men were executed. In the end, the Luddites could not stop technology from advancing. By the 1820s the Luddite movement had ceased to be active and few croppers could find work in the woolen industry.

It’s All About Risk
The moral of the story is that technology does not exist in a vacuum. Not if it is useful technology. It ends up being integrated into the environment in which it operates. This integration can be peaceful, or not. Either way, it will occur. Policy based compliance tend to have policies dictating discrete, predefined information security requirements along with associated safeguards and countermeasures. There is minimal flexibility in implementation and little emphasis on explicit acceptance of mission risk. Compare that to risk based protection where the enterprise missions and business function drive security requirements, associated safeguards, and countermeasures. It is highly flexible in implementation and focuses on acknowledgment and acceptance of mission risk.

Today, organizations are taking a serious look at their information technology (IT) groups and questioning the governance models necessary to minimize risks and maximize returns. Taking the definition from the Control Objectives for Information and related Technology (COBIT) executive summary, IT governance is “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

Command and Control
Business managers and stakeholders, in order to trust and rely on IT must have some sense of reliability and control. Add to this business mix the constant pressures to decrease cost, increase reliability, and meet requirements to comply with local and federal regulations. Communication between different groups within an organization is essential, whether that be technical folks, auditors, finance, managers, etc. Innovation cannot exist only in the IT arena. It must translate into overall business process improvements. To help do this, companies are showing greater interest in best practices and in frameworks such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO/IEC ) 17799, and COBIT. Government organization need to follow the DoDI 8500.2 “Information Assurance (IA) Implementation” document or National Institute of Standards and Technology (NIST) SP 800-53A “Recommended Security Controls for Federal Information Systems.”

As organizations attempt to implement these frameworks/recommendations/requirements questions concerning how to bring these standards together arise along with difficulties in helping organizations get from where the company current is to where the company needs to be? Government does not get a free pass. Government agencies are faced with the daunting task of having to work together to combat security risks. That includes federal information systems that support defense, civil, and intelligence agencies along with private sector information systems supporting U.S. industry and businesses and information systems supporting critical infrastructures within the U.S. It would be helpful if we could start talking the same language. Or at least develop a dictionary so we can understand each other. Winston Churchill once said, “Out of intense complexities intense simplicities emerge.” By bringing together the seemingly diverse security best practices and controls from COBIT, ITIL, DoDI 8500.2, and NIST SP 800-53A, we hope intense simplifications emerges.

Battle Plans
First, a little background. The Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and NIST both address the Federal Information Security Management Act (FISMA) of 2002 requirements. FISMA is a United States federal law which recognizes the importance of information security to the economic and national security interest of the United Stats. FISMA tasked NIST with the responsibility of “providing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.” While DIACAP establishes “the standard DoD process for identifying, implementing and validating information assurance (IA) Controls for authorizing the operation of DoD information systems and for managing the IA posture across DoD information consistent with Title III of the E-Government Act, FISMA, DoDD 8500.a and DoDI 8500.2.” A major part of the DIACAP process is testing to make sure compliance with regulations occurs. The testing is based on security controls set out in DoDI 8500.2. The NIST SP 800-53A also “provides guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” As you can see, NIST 800-53A and DoDI 8500.2 are fairly similar in definitions and methodologies.

COBIT’s original purpose was to link IT process and controls to business requirements. Management guidelines were later added, providing management tools such as metrics and maturity models. ITIL is effective IT service management focused. It consists of 10 processes, which break down into service support (operational) and service deliver (tactical) processes. ISO/IEC 17799 focuses on security and attempts to aid an organization in the creation of an effective IT security plan.

Strengths and Weaknesses
The Information Systems Audit and Control Association (ISACA) has put a great deal of effort in mapping COBIT to other standards. In part, this is because of COBIT’s focus is on business requirements. COBIT can be used as the framework and governance model under which other best practices integrate. Take a look at these mapping guides:

• COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
• COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0
• COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0
• COBIT Mapping: Mapping of ITIL With COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0
• COBIT Mapping: Mapping PMBOK to COBIT 4.0
• COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0
• COBIT Mapping to ISO/IEC 17799:2000 With COBIT, 2nd Edition
• COBIT Mapping Overview of International IT Guidance, 2nd Edition
• Aligning COBIT, ITIL and ISO/IEC 17799 for Business Benefit

Coming Together
To keeps things somewhat simpler, let us only focus on the mappings that exist for ITIL with COBIT and NIST SP800-53 with COBIT. Through this approach, we will develop a path from DoDI 8500.2 to ITIL. The mapping should be helpful not only in understanding but also in organization. Keep in mind, DoDI 8500.2 is the catalog of controls and can be matched against NIST SP 800-53A. Appendix G of NIST SP 800-53A does match up ISO/IEC 17799 and DoDI 8500.2.

When we combines these mappings, we do begin to see both the strengths of certain standards. We also gain depth of coverage. Take a look at the following mapping for configure and implement acquired application software to meet business objectives.

COBIT Control	ITIL	800-53A 8500.2 17799
AI2.5: Configuring and implementation of acquired application software to meet business objectives.	SS-RelMgmt: Release Management (9.8.3)	A: SA-1: System and Services Acquisition Policy and Procedure DCAR-1: Procedural Review 12.1: Security requirements of information systems 15.1.1: Identification of applicable legislation

The complete mapping can be found from this link. This is a work in progress and is meant only as a first attempt to produce something that might clarify and help.

Building Trust
Dr. Ron Ross, project leader for the FISMA Implementation Project, has been doing some talks on transforming the certification and accreditation process through a unified risk management framework. He also wants us to be able trust each other. One of his recent presentation from November 14, 2007 to the ACT/IAC Information Security and Privacy Shared Interest Group titled “Building Trust Relationships Among Organizations” makes some very important points. In the presentation Ross states that there is an information security paradigmatic shift occurring from a policy based compliance model to a risk-based protection model. This is of key importance because the responsibility of security to provide information will depend on a trust relationship established among partners. This is applicable to both the government and industry. Trust can occur only when an organization understands the security state of their partners. Government and industry must be able to trust and understand each other’s security state.

Michael Smith, manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, makes the following important point about the unified catalog of controls in his post, “One Catalog to Rule Them All“:

What a unified catalog of controls means is that we now have something that is standardized across the board so that I can take an IA practitioner from the DoD side, put them into a civilian agency, and have a reasonable expectation that they will succeed there. In other words, I’ve decreased the switch costs for personnel transfers. I’ve also made it easier for agencies to share data with each other (conspiracy buffs here can think things about Census data feeding the Total Information Awareness program and corroborated against your classified file) and to support each other as vendors under Lines of Business, which the government needs desperately.

Eustace D. King has an article in the July issue of CrossTalk titled “Transforming IA Certification and Accreditation Across the National Security Community.” In the article King discusses the DoD and DNI CIOs seven goals for transforming C&A processes across the DoD and the IC. These goals can be found off the director if National Intelligence CIO’s “Re-Vitalizing Certification & Accreditation Initiative” page and include (quoting from King’s article):

1. Define a common set of impact levels and adopt and apply them across the DoD and IC.
2. Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing.
3. Define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.
4. Adopt a common lexicon, using CNSSI 4009 as a baseline, thereby providing both the DoD and IC a common language and common understanding.
5. Institute a senior risk executive function, which bases decisions on an enterprise view of risk considering all factors, including mission, IT, budget, and security.
6. Incorporate IA into enterprise architectures and deliver IA as common enterprise services across the DoD and IC.
7. Enable a common adaptable process that incorporates security within the lifecycle processes and eliminates security-specific processes.

I do like the idea of “define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.”

At the last month’s Infosecurity Canada Conference & Exhibition, Al Purdy, now principal of DRA Enterprises Inc. addressed the importance of a establishing an risk management framework. “The most likely way to address some of the risks is a public-private sector collaboration based on an established risk management framework“, Purdy said. Purdy points out that the IT Governance Institute (ITGI), developers of COBIT is reported working on a risk management framework for release later this year. Herr Urs Fischer, who is leading a steering committee that is developing the framework, admits, “While COBIT does contain some discussion of risk management, ITGI realized that it needed to provide more depth and guidance as technology professionals struggle with issues around compliance with regulations such as Basel II.” Fisher goes on to say, “It’s more of an add-on (to COBIT) than a new one.” Fisher explains, “It’s not a checklist. It’s more about the way you should do risk management.”

Parting Words
I started this post wondering if a shift is beginning towards the risk-based protection model. We see elements in play. There is a definite need for establishment of a common language between all our standards, best practices, and requirements. Recent research published in the IT Governance Global Status Report 2008 found a six percent increase from 2005 in the importance of IT to business strategy. IT is increasingly playing a more vital role in business and government. Help is needed that will allow different groups within an organization to understand IT. This need to communicate goes beyond the boundary of an organization. Governments and industry need to properly be able to evaluate the risk of working with their partners and they can only do this if they can evaluate their partner’s security readiness. Partnerships do not end within one’s own country. It is not surprising to see the push for a common risk management framework.

Jacob August Riis, an Danish-born American journalist and slum reformer who created new standards in civic responsibility regarding the poor and homeless in his reporting of New York City slum conditions, once wrote, “When nothing seems to help, I go and look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” Sometimes the hands of change seem to move at glacial speeds, but change will come. When all the elements are in place, change can come like a flash flood. The best we can do is be patient and then make sure we are not caught like the Luddites, on the wrong side of technological advancements.

Special Thanks
I wanted to add a note of special thanks to Michael Smith over at the Guerilla CISO. Michael is quoted above. I have been a long time reader of Michael’s blog and when I came across questions concerning DIACAP, I dropped him an email. He was most helpful and informative with his responses, shared with me some pdfs, and pointed me to some great sites. If you want to know more about Michael, Martin McKeay did an interview with him a few months back. Of course, any mistakes in this post are my own, and the correct information is due to the help that Michael provided.

I wanted to direct your attention to an informative podcast and a site involving Google. First, the podcast. RedMonk did a great interview titled “Puppet at Google - RedMonk Radio Episode 48.” If you are unfamiliar with Puppet, it is an automated administrative engine written in Ruby. Pat Eyler also posted, on the On Ruby blog, an interview with James Turnbull. James is the author of “Pulling Strings with Puppet.” What makes RedMonk’s interview particularly interesting is that it is with Reductive Lab’s Luke Kaines and Google’s Nigel Kersten. To quote RedMonk, “Nigel has been using Puppet to manage ‘many, many thousands’ of Mac desktops used at Google by developers and others. He tells us how he got involved in using Puppet last year during WWDC last year and quickly applied its use to managing Google Mac desktop.”

Google represents a challenging environment consisting of many very intelligent users who are operating in a diverse development environment. It is also an environment where if anyone tried to impede the developers’ work, these inventive employees would find ways to go around. Heavy handed policies will not work. A technical solution that helps developers get their work done is the only possible workable solution. Along this line, check out James Governor’s post, “You have to treat your employees like customers.”

Staying with Google, for my second major mention, Google has made available the videos and slides from Google I/O. This gathering occurred May 28-29th and consisted of “in-depth, technical sessions on how to build the next generation of web applications with Google and open technologies.” I have added these sessions to the “Presentations” section of this blog. To save some clicking, and pique your interest, the sessions are listed below.

A World Beyond AJAX: Accessing Google’s APIs from Flash and Non-JavaScript Environments	APIs & Tools
Advanced Gadget and UI Development Using Google’s AJAX APIs	AJAX & JavaScript
Advanced KML	Maps & Geo
Advanced Ruby Scripting for SketchUp	Maps & Geo
An Introduction to Android	Mobile
Anatomy & Physiology of an Android	Mobile
Apache Shindig: Make your Social Site an OpenSocial Container	Social
Authenticating to Google Data Services	APIs & Tools
Becoming a Google Apps Small Business Solution Provider	APIs & Tools
Best Practices - Building a Production Quality Application on Google App Engine	APIs & Tools
Best Practices for Spreading Your App without Ruining the User Experience	Social
Building an Android Application 101	Mobile
Building on the Promise of OpenSocial	Social
Building Scalable Web Applications with Google App Engine	APIs & Tools
Can We Get There From Here?	AJAX & JavaScript
Creating a Client-Side Search Engine with Gears	AJAX & JavaScript
Creating a Google Data API Client	APIs & Tools
Dalvik VM Internals	Mobile
Design Patterns in an Expressive Language	AJAX & JavaScript
Design Your Own YouTube Player	APIs & Tools
Effective Java Reloaded	Tech Talk
Engaging User Experiences with Google App Engine	APIs & Tools
Even Faster Web Sites	AJAX & JavaScript
Extend the Reach of your Google Apps Environment with Google APIs	APIs & Tools
Faster-than-Possible Code: Deferred Binding with GWT	APIs & Tools
Flash API for Google Maps	Maps & Geo
From Mashups to Mapplets	Maps & Geo
Gears Case Studies: Zoho offline on Gears, Buxfer secure and offline finance with Gears	AJAX & JavaScript
Google Gears and MySpace - an Exploration of Powering Search on the Client	AJAX & JavaScript
Google Gears for Mobile: Power Up your Mobile Web App	Mobile
Google Guice 101	APIs & Tools
GWT and Client-Server Communication	APIs & Tools
Harnessing StreetView, Static Maps, and other new additions to the Google Maps API	Maps & Geo
Hosting your Geo Data, an Overview of Design Options	Maps & Geo
How Open Source Projects Survive Poisonous People	Tech Talk
How to Index your Geo data	Maps & Geo
HTML5, Brought to You by Gears	AJAX & JavaScript
Improving Browsers in New Ways: Gears++	AJAX & JavaScript
Inside the Android Application Framework	Mobile
Introduction to Google DocType: an Encyclopedia of the Open Web	Tech Talk
Introduction to Project Hosting on Google Code	APIs & Tools
Keynote: Client, Connectivity, and the Cloud	AJAX & JavaScript
Keynote: Imagination, Immediacy, and Innovation… and a little glimpse under the hood at Google	AJAX & JavaScript
Leveraging Web 2.0 Design Patterns For Enhanced Accessibility	AJAX & JavaScript
Meet the OpenSocial Containers	Social
Mobile Mashups	Mobile
Monetizing Application Traffic On Social Networks	Social
My Maps Editing API	Maps & Geo
Open Source is Magic	Tech Talk
OpenSocial - Scaling and Analytics, Nuts & Bolts	Social
OpenSocial Across Containers	Social
OpenSocial at MySpace: Creating Popular Apps on MySpace	Social
OpenSocial Specification: What’s Next for OpenSocial	Social
OpenSocial, OpenID, and OAuth: Oh, My!	Social
OpenSocial: A Standard for the Social Web	Social
Parsing and Generating KML with Google’s KML Library	Maps & Geo
Rapid Development with Python, Django, and Google App Engine	APIs & Tools
Resource Bundles and Linkers in Google Web Toolkit	APIs & Tools
Reusing Google APIs with Google Web Toolkit	APIs & Tools
Search Friendly Development	APIs & Tools
Secure Collaboration - How Web Applications can Share and Still Be Paranoid	AJAX & JavaScript
Server-side JavaScript on the Java Virtual Machine	AJAX & JavaScript
Sitemaps: Exposing Interactive and Hidden Content in Web Applications	APIs & Tools
Spice up Your Web Apps with Google AJAX APIs	AJAX & JavaScript
State of Ajax: The Universe is Expanding	AJAX & JavaScript
Surprisingly Rockin’ JavaScript and DOM Programming in GWT	APIs & Tools
Taking Large-Scale Applications Offline - Lessons Learned from Google Docs	AJAX & JavaScript
The World’s Information in Context	Maps & Geo
Under the Covers of the Google App Engine Datastore	APIs & Tools
Underneath the Covers at Google: Current Systems and Future Directions	Tech Talk
URLs are People Too - Using the Social Graph API to Build a Social Web	Social
Using GWT to Build a High Performance Collaborative Diagramming Tool	APIs & Tools
Working with Google App Engine Models	APIs & Tools
YouTube on Your Site	APIs & Tools
GWT Extreme!	APIs & Tools
Painless Python for Proficient Programmers	Tech Talk
Visualize your Data: Google Visualization API	AJAX & JavaScript

If you are interested in additional slides and videos for training, please check out my previous post, “CERT, CERIAS, the Academy, and Google Video: Training Online.”

Col. Charles W. Williamson III in his post “Carpet bombing in cyberspace: Why America needs a military botnet” ran into trouble with the security community when he stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” I will leave it to the reader to head over to Williamson’s, Bejtlich’s, and Sullivan’s blogs and form their own opinions.

In the end, an effective Distributed Denial of Service (DDoS) attack will likely be done in a manner making it difficult to block the involved IPs without shutting down services to the victim’s customers. In cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

With that in mind, I wanted to post some sites that can help identify from where attacks might originate. Please do remember that IPs used in an attack do not necessarily identify who is behind the attacks.

Overview

I agree with Col. Charles W. Williamson III that that cyberspace is a dangerous place. The idea of going on the offensive and striking back is appealing. Since early childhood, I can remember my dad always saying, “The best defense is a good offense.” The problem with a offensive military botnet is that it will run into problems when it comes to locating the base of the enemy. To understand why this is the case, we will start by defining some of the favorite cyberspace weapons used by the bad guys. We will then examine the countries where attacks are occurring. Sources of publish information will be examined, which should help the reader continuously monitor activities in their network. We will end by discussing Carnegie Mellon’s attempt to establish international communication and coordination.

Definitions

Let us defines a few of the favorite tools being used in carrying out attacks in cyberspace.

Malware

Malware is short for short for malicious software. It is any software written for malicious reasons that infiltrates or damage a computer without authorization. Some common malware types are trojans, worms, viruses, bots, rootkits, and spyware/adware. Below are definitions taken from the links above.

• Trojan - a package disguised as something useful or popular, but actually carrying a malicious payload that will damage the victim machines or threaten data integrity, or impair the functioning of the victim machine. Trojans can be classified according to the actions which they carry out on victim machines: backdoors, PSW trojans, trojan clickers, trojan downloaders, trojan droppers, trojan proxies, trojan spies, trojan notifiers, and arcbombs.
• Virus - will attach itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Viruses can be classified according to their environment and infection methods, such as file viruses, boot sector viruses, macro viruses, and script viruses.
• Worm - are considered a subclass of virus and take advantage of file or information transport features on systems allowing it to travel unaided. Worms includes programs that propagate via LANs or the Internet with the objective to penetrating remote machines, launching copies on victim machines, and spreading further to new machines. The key difference to a trojan is that worms can propagate on their own. They self-copy and infect other machines through penetrate and infect purely through vulnerabilities that are inherent to the system itself. No human intervention is required.
• Rootkit - a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.
• Spyware - is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent.
• Adware - advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Generally, addware is classified as privacy-invasive software.

Botnet

A botnet is a collection of Internet connected computers running autonomously and automatically in order to accomplish some distributed task. Distributed computing can be used for useful and constructive applications, while the term botnet typically refers a system designed and used for illegal purposes. The individual compromised machines (drones or zombies) run malicious software (bot) and are assimilated and used without the owner’s knowledge. The machines operate under the Command and Control (C&C) of the botnet owner (herder). Botnets are used for (definitions taken from the accompanying links):

• Click Fraud - click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link.
• DDoS - one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
• Keylogging - a method of capturing and recording user keystrokes.
• Warez - refers primarily to copyrighted works traded in violation of copyright law.
• Spam - is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Phishing

Phishing is the practice of sending out fake emails, or spam for purpose of gathering personal information and/or identity theft.

Source Countries

Now that we know a few of the weapons used in cyberspace, we are ready to examine countries where these various attacks are occurring. Once more, please remember that those behind the attacks might not be at the same location as the machines that are launching the attacks.

The Shadowserver Foundation (see below) collects and provides some very interesting statistics. The below map shows the locations of infected machines (drones) that Shadowserver has observed in the past 24 hours. Please note that this information is not complete. It cannot be. If we knew all infected computers and C&C machines, we could shut them down easily. The challenge is in the ever changing landscape. The Shadowserver Foundation does a commendable job continuously monitoring this dynamic landscape.

The below map shows the last 24-hours worth of tracked C&C servers.

The below graph shows the count of all the network scans into routed CIDR blocks that occur from the botnets that Shadowserver is aware of:

The below map shows the last 24-hours worth of tracked existing C&C and the target of scan attacks.

The below graph shows the count of all the DDoS attacks that occurred from the botnets that Shadowserver is aware of:

The below most recent 24 hour period map shows the C&C and the target of the DDoS attack.

The below map shows the machines suffering DDoS attacks and the C&C sources in 2007.

The PhishTank (see below) provides daily verified phishing attempts. Below is a map of the countries generating the most reported verified Phishing attempts for April 2008.

Sources for Information

As previously mentioned, the Shadowserver Foundation gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, presented last week at the Asia Pacific Information Security conference (AusCERT2008).

PhishTank provides information on phishing attacks. While OpenDNS created and operate the site, PhishTank is a community effort with the information being provided by companies and people submitting phishing e-mails and Web sites. The data is totally open and a free API exist. The API documentation is available for developers wanting to use PhishTank’s community data to integrate anti-phishing elements into their applications.

If you have anything in your security arsenal that is monitoring for certain IPs or domains, the DNS-DB Malware Domain Blocklist and the Global Watchlist provide invaluable up-to-date information. The DNS-DB Malware Domain Blocklist site maintains a list of domains, pulled from various sources, that are known to be used to propagate malware and spyware. The Global Watchlist was created after a discussion between C.S. Lee and Spoonfork. C.S. Lee describes the purpose of this list in his posting “The Harimau Watchlist” What they have done, in their own words is to “pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place.” You can search through a web interface or set up processes to search automatically via URL. They have also made all the IPs and data available in one file. Helping detect and possibly prevent access from these IPs and domains through Snort, Dragon, and other IDS/IPS signatures is the Emerging Threats site.

The Spamhaus Project attempts to “track the Internet’s Spam Gangs, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation.” The project offers a realtime database of IP addresses consisting of a combination of the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL). If you desire a data feed, the service is not free. You can try it out for 30 days free. They do operate DNSBL servers spread across 18 countries. You may qualify for free access via DNS queries.

The SANS Internet Storm Center (ISC) provides a free analysis and warning service to fight back against the malicious attackers. The ISC gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is a a free service to the Internet community. After removing identifying information, the ISC sends send intrusion detection and firewall logs to the DShield distributed intrusion detection system.

The National Vulnerability Database (NVD) is a fantastic source of free information enabling automation of vulnerability management, security measurement, and compliance. While it might not help with filtering of IPs, the data can be used in combination when automating your security. To quote the site, “NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.” NVD is the repository for Information Security Automation Program (ISAP) and the Security Content Automation Protocol (SCAP). Here are a few of the major sources of information NVD provides:

1. CVE Vulnerabilities - a dictionary of publicly known information security vulnerabilities and exposures. Allows you to download the entire CVE List in various formats.
2. Checklists - repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
3. US-CERT Alerts - provide timely information about current security issues, vulnerabilities, and exploits.
4. US-CERT Vuln Notes - include technical descriptions of the vulnerability, as well as the impact, solutions and workarounds, and lists of affected vendors.
5. OVAL Queries - an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL Repositoty downloads include Data Files of all vulnerability, compliance, inventory, and patch definitions for supported platforms.

There are a few good sources for security statistics in the form of a reports. The Anti-Phishing Working Group (APWG) is the global pan-industrial with over 3000 members in over 1700 companies and agencies worldwide. The group’s purpose is eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. They produce an interesting Phishing Activity Trends report which was last updated in January 2008.

WhiteHat produces a Security Statistics Report. The report presents a statistical picture of current website vulnerabilities focused solely on previously unknown vulnerabilities on public websites. The report also contains expert analysis and recommendations. Jeremiah Grossman, founder and CTO, does maintain a very informative blog where additional information can be found. You can hear Jeremiah on a recent episode of Risky Business where he discussed with host Patrick Gray Cross Site Request Forgery attacks.

Microsoft produces a “Security Intelligence Report.” Currently the fourth volume is available covering July through December 2007. You can also watch the video cast of Bret Arsenault, GM US National Security Team and Vinny Gullotto, GM Microsoft Malware Protection Center, discuss the trends and findings in the latest SIR.

There are a few final additional sources of information that I have found useful when trying to understand security trends. Dan Geer did a presentation, “A Quant Look at the Future Extrapolation via Trend Analysis.” The state-of-the-art report (SOAR) published by the Information Assurance Technology Analysis Center (IATAC) provides observations about noteworthy trends in software security assurance as a discipline. The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. They use to issue the report with the FBI. Registration is required.

Blogs can also be a valuable source of information, and may occasionally post IPs to be concerned about. SunBelt Software just did a posting titled “Fresh new rogue antispyware programs.” Dancho Danchev recently posted “Malware Domains Used in the SQL Injection Attacks.” The F-Secure folks maintain a very informative site concerning the latest news from their labs. There are many excellent sites for information on malware, botnets, and phishing. For example, Kaspersky Lab maintains the blog VirusList and the AVDefender. SANS ISC has the Handler’s Diary.

International Incident Coordination

Security on international projects is complicated. Take a look at my previous post, “Information Security and the Law.” Different countries have different laws impacting what can and cannot be done. Many CEOs may not know a great deal about information technology, but they know they have no desire to break the laws of other countries. This can pressure managers to prefer to implement light security. Heavy on the data protection, but light on the detection. We have established cyberspace can be a dangerous place, especially when you are playing in international waters. Defenses will fail. If an organization cannot detect nefarious activities in a high risk environment, that is a bad combination. Even when you have fully supportive management, it is easy to run into a road block when dealing with other countries.

Carnegie Mellon University Software Engineering Institute (SEI) is trying to help establish some coordination between the white hats working in international security. First, a little history in order to understand the players involved. SEI was charged by the Defense Advanced Research Projects Agency (DARPA) with setting up center to “coordinate communication among experts during security emergencies and to help prevent future incidents.” This center was named the CERT Coordination Center (CERT/CC) and is an amazing source for cutting edge security research and information.

With the establishment of incident response team both within the United Stated and Internationally, soon difficulties developed due to differences in language, timezone, and international standards or conventions. It became apparent that better communication and coordination between teams were needed. The Forum of Incident Response and Security Teams (FIRST) was established. Membership consists of teams from a wide variety of organizations including educational, commercial, vendor, goverment and military.

CERT/CC also began a program to help Computer Security Incident Response Team (CSIRT) development and establish CSIRTs around the world. National CSIRTs deal with security at the macro level. Large-scale incidents can affect the economy, critical infrastructure, government operations, and/or national security. If the incident ends up being a worldwide event, National CSIRTs can coordinate with CSIRTs in other countries to establish communications and cooperation among those countries.

To hear more about CSIRT, in August Jeff Carpenter talked with Julia Allen on the CERT podcast titled, “Tackling Security at the National Level: A Resource for Leaders.” Jeffrey J. Carpenter is the technical manager of the CERT/CC and has assisted with the formation and development of CSIRTs. Julia Allen is a senior researcher within the CERT Program and is engaged in developing and transitioning executive outreach programs in enterprise security and governance, and works extensively with the IT operations and audit communities. She is one of my favorite sources for enterprise security information.

Below is an interactive map to locate CSIRTs with national responsibility around the world. From the map, additional information can be pulled up on the individual sites.

Final Words

I understand the frustration Col. Charles W. Williamson III feels. The problem is that in cyberspace, the enemy is all around us. It is within us. If we lash out, our first target must be ourselves. In the end, we are fighting blind. Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” I do not think good men attacking each other was the something Edmund had in mind. That is what will occur if we fight blind. We can’t even withdraw into the safety of our own silos for the perimeters are being continuously breached. Retreat is not an option. The delusion that isolationism will bring safety has been shattered. The only solution is for the good guys to band together. There is strength in unity. Only when working together will we be strong enough to take on those who bring destruction.