One of the things that I think frequently about as I listen to folks talk about security is that many people forget the fact that information technology exist to help us do something. Security’s job is to figure out how to allow the task to be done while minimizing risk. If implementing security only results in a company unable to advance, security has failed the company. It is like the old analogy about security being the brakes to the corporate car. To quote Ron Woerner of the Security Catalyst:

Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.

Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells, told security executives during a lunchtime presentation that “many people blog from work and mobile platforms and that’s very bad.” He went on to categories blogs as one of the bad guys’ tools. Alan Shimel, chief strategy officer for StillSecure, addresses Don’s statement in his blog, “Don Ulsch, keep the FUD to yourself.” Don’s job is to see emerging threats and he makes the point that blogs represent a possible source of data leakage. This is a case where risk needs to be weighed against reward. That is Alan’s point. I listen to the “StillSecure, After All These Years” podcast and I read Alan’s blog. I am aware of his company StillSecure, and I have respect for the people he works with. I think Alan has demonstrated how useful the latest technology can be if you do not allow risk to stop your company from utilizing such technology. Sure, you want to minimize risk, but it is about balance. You cannot allow just the existence of risk to stop you from doing your business efficiently.

For this reason, I feel that one of the most important quality in a security professional is their ability to keep up with the latest technologies. We need to know the tools our organizations will be using in order to understand the risks involved. I am thankful to O’Reilly for helping me do my best to stay up on developments in IT. I read daily the O’Reilly Radar blog. I listen to the Distributing the Future podcast. Finally, I am subscriber to Safari Books Online. When Tim O’Reilly speaks, I listen.

I have a confession and I hope Tim does not feel I am stepping out on him. Occasionally, I will check out what books the Pragmatic Programmers, LLC might have. Awhile back, I brought the online version of the book by Dave Thomas and David Heinemeier Hansson, “Agile Web Development with Rails, Second Edition.” I found the web site to be very profession and well done. This is what you want to see in a publisher that sells books on web development. They have continued to provide free updates to the book. Considering the changing nature of agile web development, I have been very appreciate of that.

I also recently purchased the electronic version of Harlan Carvey’s book, “Windows Forensic Analysis DVD Toolkit.” It is a great book. Syngress’ site is not as slick as the Pragmatic Programmer site. I purchased from Syngress only because Harlan has produced such a great book. If you want to get a feel for Harlan technical and writing capability, check out his blog, the Windows Incident Response.

Right now, I am sitting at work finishing up the printing of some documents. While it might be nice to have documents in PDF format for searching and convenience in carrying around on a USB stick, I like to read hardcopy. While printing, I also have my MP3 player. I was listening to podcasts until I figured I would post a blog while waiting for my documents to finish printing. My phone and MP3 player are capable of making voice recording, which I occasionally use to record notes to myself. I don’t think Don would approve. The questions is how much safer would the company be verses how less productive would I be if these technologies were eliminated?

Here are a few other documents I am printing:

• OCEG Foundation Guidelines Red Book
• Guide to NIST Information Security Documents
• COBIT 4.1
• IT Governance Implementation Guide
• IT Assurance Guide
• Version Control with Subversion

What a way to spend Sunday.

I wanted to post a few more references. Hopefully, I will even find time to read these documents. I have referenced many times in this blog various NIST SP documents. On Friday, they published a guide to NIST information security documents. They describe the document as follows:

In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting the Guide to NIST Computer Security Documents (.pdf). In addition to being listed by type and number, the Guide presents three ways to search for documents: by Topic Cluster, by Family, and by Legal Requirement. This Guide is current through the end of FY 2006.

Information Systems Audit and Control Association (ISACA) has released to its members several documents. For the general public, these documents will be released in May. These document include:

• COBIT 4.1 — To get a quick overview of how COBIT 4.1 differs from 4.0, please see the page titled, “How COBIT 4.1 Changed From 4.0.”
• IT Governance Implementation Guide: Using COBIT and VAL IT, 2nd Edition — I really have not done much with VAL IT. For now, it will be interesting to have as a reference.
• COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition — The guide covers, “control practices provide control approaches consisting of practices that are necessary and sufficient for achieving COBIT control objectives.”
• IT Assurance Guide: Using COBIT — This guide, “provides detailed guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and assessing risks and how an assurance review can be performed for each of the 34 COBIT processes.”
• COBIT Security Baseline, 2nd Edition — This is the guide that I was most interest in. Unfortunately, it will not be available until May 14th. The guide, “helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework.”

This week I paid membership dues to get access to areas on the Open Compliance & Ethics Group (OCEG) site. OCEG has been working with Compliance Week on the Governance, Risk and Compliance (GRC) Illustrated series. OCEG also produces the Foundation “Red Book” which “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.” M. E. Kabay from Network World did a nice writeup on the Red Book’s approach to risk management in his article, “OCEG Red Book on risk management.” A final document from OCEG that I want to review is the “Benchmarking Survey Comprehensive Summary Report.”

Finally, in my last post title, “Forensic Resources,” I listed a few other things I will be investigating in the computer forensic arena. Of course, I will also preparing and taking my SANS Security 508 course, System Forensics, Investigation & Response GIAC Certified Forensics Analyst (GCFA) certification exam.

Many times, I feel like the Lloyd Bridges from the movie Airplane. “Looks like I picked the wrong week to quit smoking.” While I might not smoke, nor any of the other things Lloyd’s character choose the wrong week to give up, I did decide to give up hard core caffeine. I went from Pepsi Mountain Dew Code Red to basic green tea. According to Wikipedia’s Caffeine entry, green tea has about half the caffeine of Code Red. That scales me back far enough that I no longer have caffeine headache withdrawals. Maybe one day I will figure out how to get all my work done while getting relatively normal amounts of sleep. One can always dream. Such is the life of a security monk.

I wanted to post a few more references in the area of forensics. There is a new book coming out, “Windows Forensic Analysis.” It is written by Harlan Carvey, who is also a member of the Security Catalyst Community Forums. Syngress has made available chapter three, Windows Memory Analysis, from Harlan’s book.

If you are unfamiliar with the Security Catalyst site, Michael Santarcangelo runs and maintains the forums. To quote the blog overview:

Get engaged and prepare to be entertained as expert on security and the protection of information and professional speaker Michael Santarcangelo (and friends) takes a refreshingly direct but entertaining (and easy to follow) look at the important issues in how we think about and protect our information assets.

It is a site I recommend to security professionals. Michael is really trying to build a community and provide insightful and timely information relating to security.

There are many great books out there. One book that has been out for awhile, which I highly recommend was written by Keith J Jones, Richard Bejtlich, and Curtis W. Rose. The title is “Real Digital Forensics.” Richard does an excellent job with the TaoSecurity blog. The blog is “dedicated to FreeBSD, network security monitoring, incident response, and network forensics.”

Bret Padres and Ovie Carroll, two former federal agents “talk about computer forensics, network security and computer crime” on their podcast, Cyberspeak. The April 22, 2007 episode has an interview with Jesse Kornblum, Pricipal Computer Forensic Engineer, ManTech International. They discuss Forensicswiki.org. The Forensicswiki.org site is “a Wiki operated under the Creative Commons-licensed devoted to information about digital forensics.” Translation: it is open to everyone. On the show, Jesse mentions the site Forensicwiki.com, which is a closed site where membership requests are vetted. To quote the site, “membership is intended for forensic/security professionals, law enforcement and the legal profession.”

Another site that might be of interest is Computerforensicsworld.com. That site is also a “free and open peer to peer medium for digital and computer forensics professionals and students.” There is also the Forensicfocus.com site. In the July 2006 newsletter, Forensicfocus provided many additional forensic links. One forensic list that they missed was the Appleforensics list. That mailing list is open only to government email addresses.

The NIST Special Publication site does maintain a few documents that might be of interest. There is Draft Special Publication 800-101, Guidelines on Cell Phone Forensics. There is also SP 800-86, “Guide to Integrating Forensic Techniques into Incident Response,” which was published August 2006. Back in November 2004, NIST published SP 800-72, “Guidelines on PDA Forensics.”

If you need a podcast to serve as an introduction to forensics, I recommend Richard Nolan and Stephanie Losi podcast done April 17, 2007 titled Computer Forensics for Business Leaders: A Primer. To quote the description of the show, “In this podcast, Richard Nolan, who leads CERT’s computer forensics efforts, shares what business leaders need to know and provides pointers to resources that can increase organizational preparedness.”

Finally, for training, I would point you to SANS SECURITY 508 course, System Forensics, Investigation & Response.

Gunnar Peterson from 1 Raindrop blog posted the above quote. It is an interesting quote and provides me an opportunity to share a few resources.

If you are interested in a book on security metrics, Andrew Jaquith has written, “Security Metrics: Replacing Fear, Uncertainty, and Doubt.” I personally like having a book in hand, but in the electronic world there is always Safari Books Online. For those not familiar with the site, it is a joint venture between O’Reilly Media and the Pearson Technology Group. Security Metrics is available from the Safari site. Prof. Joseph M. Jacobson of the MIT Media Lab on Apr 8, 1988 in the N. Y. Times made the wise observations:

If books had been invented after the computer, they would have been considered a big breakthrough. Books have several hundred simultaneous paper-thin, flexible displays. They boot instantly. They run on very low power at a very low cost.

Of course, one of the nice thing about belonging to Safari Books is that you do not have to lug the books around between home and work.

The author, Andrew Jaquith, is the program manager for Yankee Group’s Enabling Technologies. Security Wire Weekly, had Andrew on the Feb. 14, 2007 podcast. There are a few additional podcasts, for those interested in security metrics. Stephanie Losi & Julia Allen discuss “The ROI of security” on the CERT podcast series. CSOonline talked with George Campbell, retired CSO for Fidelity Investments on “How to Connect With Metrics.” Laura Koetzle, Vice President, Forrester Research, released the podcast, “Why Security Metrics Matter.”

A few additional publications that might be of interest. If you are doing any work for the US government, you should always consult the NIST Special Publication site. They have released the draft, Special Publication 800-80, “Guide for Developing Performance Metrics for Information Security“. Back in 2003, they also published SP 800-55, “Security Metrics Guide for Information Technology Systems.” In the security application world, the Open Web Application Security Project (OWASP) created a category, “OWASP Application Security Metrics Project.” Anyone unfamiliar with OWASP, it is an open-source project dedicated to finding and fighting the causes of insecure software. The Institute for security and Open Methodologies (ISECOM), also provides information on security metrics in their “SECURITY METRICS – RAVs (Risk Assessment Values) section.

Finally, a few websites. Andrew Jaquith runs the site, securitymetrics.org.
To be honest, there are more links and information on that site than I could ever provide. With that in mind, I will finish by pointing to the CSO website. Jeff Jones has begun the “Security by Numbers” blog.

That should be enough to get a person started/swamped with security metrics. While metrics might have a bad reputation, especially to the IT crowd, there is no arguing that they are key in making decisions and controlling risk. IT security professionals need to understand and do their best to provide good and insightful metrics. Otherwise, CIO will force the very kind of metrics that cause us all to question the intelligence of our organization.

No, I have not been abducted. No need to call in Gustav and Otto Amlingmeyer (better known as Old Red and Big Red, respectively). Sorry for my long absence from writing. I have several blogs started. Unfortunately, I began referencing so many different sources, the blogs became more research papers. Being tight on time, I have not got around to finishing them. Shoot, I have not gotten around to sleep.

I am going to try something different. I will make every attempt to write more frequently, just on less in-depth topics. The original purpose of this blog was to post interesting topics I came across. By the way, I have updated, over on the right, the “Recent Podcast” area. If you have not listened to these specific podcast, I do highly recommend them. They cover some very interesting topics. For tonight, let me just address what I have been doing recently.

I attended a SANS course System Forensics, Investigation & Response. I’ll follow this up with taking the certification to become a GIAC Certified Forensics Analyst (GCFA). I took the course by volunteering at SANS. It is a great program if your company is a little tight on training funds. Let me quote SANS description of the program:

If you are selected to facilitate for a SANS conference, you will pay a nominal fee of $500 and earn the remainder of your tuition in exchange for facilitator services you provide onsite. This fee includes attendance to the entire track the facilitator is selected to monitor, all course materials, and admission to evening sessions.

To be honest, I prefer volunteering over just attending. You get to interact more with the instructors, students, and the folks who work for SANS. Do not get me wrong, there is work involved. Volunteering for SANS just makes me feel more plugged in to the course and I get more out of it.

I have been asked if it is possible to take the certification exams without taking the course. I volunteer occasionally for SANS, I do not work for them. That is my disclaimer. Still, looking through their site, this is what I have found. If you know the subject mater very well, you can take the exam without taking the course. It is called a GIAC Challenge.

I don’t recommend it unless you are truly an expert on the subject matter. SANS exams are open book. The problem is that the the exam questions will be based on the material in the course. Now, at the conferences I have attended, SANS has allowed students to purchase copies of any of the courses held at the conference. Those course books could be very helpful in passing the exam.

When studying for the SANS exam, I recommend people make a good outline of the course material. That outline will helps a person find the material they do not remember from the course. You can count on there being some specific questions on more obscure material than you will ever be able to memorize.

The GIAC Challenge does include two practice exams. The practice exams are very valuable. They will help one figure out the pace of the exam and will point out areas where further studying is needed. SANS does allow you to purchase the exams separately.

I would point out that the course material is only part of the value of attending a SANS course. I find the interactions with the instructors and students just as valuable as what might be in the course material. If you can make it work, I would try volunteering with SANS before doing the GIAC Challenge.

1. Look further into possibly moving to WordPress MU. MordPress MU is a multi-user version designed to all thousands of blogs.
2. Look at bbPress for use with forums or bulletin board software for GLORIAD. It adds web standards, ease of use, ease of integration, and speed. Plus, it will get rid of really old software. From a security point of view, GLORIAD needs a major cleaning and upgrade.

As we increase our use of services being developed as part of Web 2.0, we find more services linked together and more integrated applications. A year ago, Dick Hardt, CEO of Sxip Identity sat down with IT conversations to talk about “Identity 2.0: Identity Protocols, Today and Tomorrow.” ZDNet posted an article back in May, “The Many Players at IIW.” IIW is the Internet Identity Workshop. Of course, I have to point out Phil Windley’s blog Technometria. Phil is the author of the O’Reilly book, “Digital Identity,” a man who knows what he is talking about.

Dick Hardt stated, “The identity management industry needs a common approach to secure, role-based access and compliance reporting for the enterprise and open source projects like Bandit from Novell and Higgins are a great step in that direction. We see this as a natural compliment to the user-centric Identity 2.0 efforts being made with SXIP and DIX and are excited to work with them on adding support of Bandit, Higgins and eDirectoryTM.”

Now talking with a friend of mine, Vincent Tillman, he pointed out that the problem is that at some level projects must interoperate in a large enterprise. The Security Assertion Markup Language (SAML) (for real-time management) and Liberty (federation/trust between systems) seem to always be mentioned in the “going-to-be” supported category. Another, the Service Provisioning Markup Language (SPML), allows resources (e.g. , Oracle Db) and managers (e.g., Tivoli or Sun IdM) to create and manage accounts by calling standard (web) services. SPML and SAML both are Web Services initiatives for standard account and access management. I’ll just mention that the OASIS general membership voted to accept SPML v2.0 as an OASIS Standard. SAML v2.0 was accepted by OASIS back in March 2005.

I am going to quote from IT Conversations, “Hardt differentiates Identity 1.0 from Identity 2.0 by describing the move from a directory centric environment where authentication means simply that your identity is registered on a web site’s directory to a user centric environment where an identity can truly be applied to a variety of web sites. He believes this will happen because the recent history of technological initiatives shows that open and simple wins out.”

To add this idea, I’ll quote redmonk, ” Identity 2.0 systems are interested in using the concept of a user’s identity as a declarative bundle of claims about the user: from things like their name, address, to less traditional things like their desires, customer service history, and other attributes that are usually not so much associated with a user identity. That’s the first big leap of Identity 2.0 think: a user’s attributes should be associated with that user’s identity..”

For an example of Identity 2.0, and keeping it in the open source area, take a look at OpenID. To quote the site, “OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.” It is a decentralized digital identity system, in which any user’s online identity is given by URL (such as for a blog or a home page) or an XRI in the latest version, and can be verified by any server running the protocol.

Wikipedia adds, “On OpenID-enabled sites, Internet users don’t need to create and manage a new account for every site before being granted access. Instead, they only need to be able to authenticate with a trusted site that supports OpenID, called the identity provider (or IdP, sometimes called an i-broker). The identity provider can then confirm ownership of the user’s OpenID identifier to other OpenID-enabled sites, called relying parties or RPs. Unlike most single sign-on architectures, OpenID does not specify the authentication mechanism. Therefore, the strength of an OpenID login depends on how much a relying party knows about the authentication policies of the identity provider. Without such knowledge, OpenID is not meant to be used on sensitive accounts (banking, e-commerce transactions, etc.), but if an identity provider uses strong authentication, OpenID can be used for all types of transactions..”

Sounds like an interesting idea. The need to maintain duplicate user data within an organization is a problem. It gets worse as services are moved outside an organization. This is the advantage of a distributed authentication system like OpenID. On the backend, you can authenticate from any data source, including but not limited to LDAP. Even the inclusion of a user information from legacy systems is possible. When Access Control Lists become a reality, it will be possible to eliminate any user data from ever being stored on any site other than the central source accessed by the OpenID server.

After the Digital ID World conference John Fontana, Senior Editor, Infrastructure for Network World magazine, wrote in his article Higgins lays out roadmap for open source identity project that

The Higgins group plans to release a middleware piece called the Identity Attribute Service that acts as a layer on top of identity repositories such as directories or applications. It can aggregate data from multiple sources in real-time and bundle them into a single identity credential. The idea is to link to data without having to move it around the network.

Mark Wahl writes, “There are several ways of looking at these APIs. One is that they are conceptually similar to APIs such as Active Directory Service Interfaces (ADSI) or Java Naming and Directory Interface (JNDI), in that they provide an abstraction to enable an application to be independent of the API of a lower layer access protocol. In this view, Higgins would offer a higher level abstraction as well as a different set of supported protocols: OpenID, WS-Trust and LDAP instead of Novell Netware, NIS and LDAP.”

I have written more than intended on this topic. A very interesting area, which I will revisit later. For now, I just wanted to point out a few concepts and links.

Today posting is not about listening to podcasts, but getting MediaWiki installed. Before doing anything, a few references that make life easier when trying to install any software under Mac OS X:

1. http://www.macdevcenter.com
2. http://hivelogic.com
3. http://developer.apple.com
4. http://archive.macosxlabs.org
5. http://macosxhints.com
6. http://www.apple.com/support/downloads
7. http://afp548.com
8. http://www.macenterprise.org
9. http://www.secureosx.com
10. http://docs.info.apple.com

I did get MediaWiki installed on www.gloriad.org. I setup an SSL Apache server to run on another port then our current production server. The server requires a user to login, providing some security as we configure. I am going to want to do some reconfiguration of the Apache PHP module to specify some additional paths. I got the MediaWiki database and everything setup so Greg can continue on and get content started. The start of the week generally results in me having no time. With Christmas coming, time is limited. It is a start.

http://www.softwaregarden.com/wkcalpha/

and Socialtext Open Source is available at:

http://sourceforge.net/projects/socialtext/

If you have not done so, you might want to listen to the podcast:

IT Conversations: Ross Mayfield

Why the interest? GLORIAD works with people across the globe. Collaboration tools that help people work together, whether they be in the next office or across the globe, are essential.

To quote Ron Mayfield, “Wikis and Blogs have from their very beginning afforded open source and open APIs. They make great containers for orchestrating web services to form composite applications, or for being mashed up elsewhere. And more importantly, they are collaboration and communication tools that demand and enable redesign of applications. Not just slapping them on a web page.”

Open source and open APIs are what Web 2.0 is all about, and where the industry is going. This is the very thing we are talking about when we begin to discuss Service Oriented Architecture. Check out Dave Linthicum blog and podcast on SOA. When it comes to software, my focus is not on how easy it is to implement, but how well it will integrate into the whole scheme. People will recommend products that are nicely put together as a suite of services. The problem is, it is a closed system. It is all about open APIs. That is what is going to allow us to integrate the information, or if you prefer to do mashups, with other software both in existence today and that which will be introduced in the future. Who knows how we will be processing information a year from now?  Companies using open APIs, like Google, are helping us bring together information in ways we would not have thought of a few years ago.

In the end, I like the philosophy of Socialtext. I’m not sure of the user interface, but on the backend they seem to have a good design approach. I’ll see how hard it is, if it all possible, on a Mac OS X.

1. Safari Short Cut: Network Monitoring with Nagios
2. Book: Nagio System and Network Monitoring by Wolfgang Barth
3. Pro Nagios 2.0 by James Turnbull
4. Nagios notebook with:
• Advanced Configuration of Nagios by Syed Ali
• SNMP Trap Handling with Nagios by Francois Meehan
• Using Nagios to Monitor Your Network by Joel Rennich
• Monitoring Your Enterprise PACS With Nagios, Cacti, and Smokeping by Ron Sweeney
• Building a Self-Healing Network by Greg Retkowski
• Installing and Configuring Nagios by Bob Cares
• Monitoring Network Services with Nagios and Mac OS X by Mark Duling
• Nagios Version 2.0 Documentation

In addition, these links might be of interest:

http://leonardo.cascss.unt.edu/~trent/nagios.html

Mac OS X Server: How to Install, Enable, and Configure SNMP
http://docs.info.apple.com/article.html?artnum=107012

Monitor 10.2.8 clients using MRTG and NET-SNMP
http://www.macosxhints.com/article.php?story=20031019185335693