JeffBolden.net

After a short 10 year build time (I kid…), one of the best security tools out has reached the v1.0 milestone. Wireshark 1.0.0. was released this weekend! You can read more about it in this news item as well as grabbing the file from the Wireshark site. I’ve used Ethereal since the early days and it’s always been one of my staple network/security tools. I big congrats to the team! Here’s the news release:

I’m proud to announce the release of Wireshark 1.0. This is the culmination of nearly ten years of hard work by a team of brilliant and talented developers. It is an honor to be able to work with these people.
On behalf of the development team, I would like to thank Wireshark’s user community for all of your enthusiasm and support over the years. Wireshark development will continue, and we have lots of great features to offer in the coming years.

In this release

Security-related vulnerabilities in the X.509sat, Roofnet, LDAP, and SCCP dissectors have been fixed. See the advisory for details.
This release includes an experimental package for Mac OSX Intel. For a complete list of changes, please refer to the 1.0.0 release notes.
Official releases are available right now from the download page.

During my daily RSS scan this morning I noticed this article on DarkReading that is sure to spark a lot of debate over the next few days.

Computer Forensics Show 2008 — Peter Tippett thinks it’s time for security professionals to wake up and stop wasting their energy.

In a presentation here yesterday, Tippett — who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus — said that about one third of today’s security practices are based on outmoded or outdated concepts that don’t apply to today’s computing environments.

Once you get past the incendiary statements, it seems to me like Peter is discussing getting back to basics with our security thinking. Nothing is 100% safe, but in the rush to try and secure everything, many tend to forget about the basics. It seems the past two years many companies (and many in the netsec field) have gone overboard in trying to manage every risk to the point of CYA insanity, instead of using a more holistic approach of basic security best-practice and prudent risk assessment/management. As anyone that has worked in the security field knows, we netsec folk have to get a million things right to keep the bad guys out, but the bad guys only have to get one thing right to get in. Of course, that’s why the argument for defense-in-depth is so important.

Yet, while I do agree with most of the points Peter brings up, we can’t just throw up our hands and give up. We still have to approach security with due diligence as one of the goals.

There is a good discussion on the article over at Slashdot. Put on your fire-retardant suit before clicking the link…

Utter madness….

The Register reports on a new UK guideline that makes it illegal to create or distribute so-called hacking” security tools.

The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.

I was amazed when the German computer crime laws came into effect in August 2007, but it looks like the insanity is spreading to other parts of Europe as well.

With my recent focus on career, job search and subsequent employer change the past few months, I’ve been wanting to post some of my recent thoughts on certifications but just haven’t had the time. So it was with interest (and some amusement) that I was following the recent comments between Daniel Miessler (original post and followup) and Marty McKeay (here and here) in regards to the comparisons/differences between the CISSP and GSEC. They have some opposing viewpoints on the subject, although I think they are closer than they think and sum up my thoughts pretty succinctly. Some of my favorite quotes from the discussion:

[MM] When you’re interviewing for a position, you’re interviewing a person, not a certificate. If you’re interviewing a CISSP to be a router jockey, you better hope they have a couple of other certs to back up their claims of knowledge. Or you better have some really good questions for them, preferably both. By definition, the CISSP shows no in depth knowledge of any particular aspect of security.

That’s one of the things that really bugs me about certs in general, the attitude of some (both cert holders and employers) that just because they hold a CISSP or GSEC, they have reached some pinnacle and know all they need to know about security. The attitude always astounds me! =) I’ve been in IT for about 15 years and yet I feel like I learn something new every day. In fact, that’s one of the main reasons I love the security field so much, the constant challenge to stay current, to learn and grow. =)

[MM] The CISSP certificate is useful setting a baseline of the person’s overall knowledge of security. And if it’s treated as nothing more than a simple measuring stick, it works well. But it’s not meant to measure someone’s networking knowledge and using it do so won’t work.

Marty pegs it here. Certs are (IMHO) a simple baseline that employers can use to assess that we in the security arena have a minimum “baseline” of security knowledge, but it is not the end-all be-all of measuring the skill of a person. We’ve all met loads of IT people with a bucketful of certs who could not troubleshoot their way out of a wet paper bag. So I thing Marty’s point is valid here, we cannot assume that a CISSP knows about things not covered in the official study guide. In a perfect world that foundation knowledge would be there, but this is not a perfect world. =) That’s where Daniel’s point rings true:

[DM] It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?

I’ve held off taking the CISSP for years, but not for the reasons you might suspect. I guess it was the rebel in me, but as someone who was “in the trenches” for years I didn’t see the need to take a cert that did not (IMHO) add much to my knowledge base and was more of a resume checkbox.

This past year I think I’ve finally made peace with myself on this whole cert subject and have come to the conclusion that it’s part of the resume game we all must play sooner or later. I’ve changed the way I look at these certs and have even come to see the advantage of going through the motions, and will even admit to learning a thing or two in studying for the CISSP and CISA tests this year. I guess you can teach an old dog at least a few new tricks… =)

Update 9/7/07: This exchange has sparked some great comments around the web this week. Mike Rothman over at SecurityIncite.com wrote a great blurb on the issue. Marty also talks more about the issue in Episode 75 of his great podcast.

After a month or two of pretty regular study I finally got my Certified Information Systems Auditor (CISA) test done a week ago and then promptly took a much-deserved week off for vacation. Now comes the 10-week wait for the results. You would think in this day and age they could get you the results a little faster, but such is life I guess.

The test itself was one of the more difficult ones I’ve taken due to the subjectivity of the questions. There were too many questions where you had to make a decision on the “most right” answer, and it seemed to me like it tests your ability to decide what ISACA wants you to say more than your actual knowledge of the material. I’ve yet to fail a cert test, but I’m really unsure as to my success on this one.

As an FYI, I used the Sybex CISA Study guide and found it to be an excellent guide of the material. I also used the official ISACA CISA Test Question CD for review.

The world of forensics has been getting more difficult over the past year or so. There has been a rash of new antiforensic tools that are so easy to use that my 9-year old could run them. And it’s getting worse. Scott Berinato has an excellent article on www.cio.com detailing how the ease of use and increased effectiveness of antiforensic tools is making forensic tools obsolete.

Five years ago, you could count on one hand the number of people who could do a lot of these things,” says one investigator. “Now it’s hobby level.

It’s gotten to the point that hackers are no longer worried about covering their tracks.

Researcher Bryan Sartin of Cybertrust says antiforensic tools have gotten so easy to use that recently he’s noticed the hacks themselves are barely disguised. “I can pick up a network diagram and see where the breach occurred in a second,” says Sartin. “That’s the boring part of my job now. They’ll use FTP and they don’t care if it logs the transfer, because they know I have no idea who they are or how they got there.” Veteran forensic investigator Paul Henry, who works for a vendor called Secure Computing, says, “We’ve got ourselves in a bit of a fix. From a purely forensic standpoint, it’s real ugly out there.” Vincent Liu, partner at Stach & Liu, has developed antiforensic tools. But he stopped because “the evidence exists that we can’t rely on forensic tools anymore. It was no longer necessary to drive the point home. There was no point rubbing salt in the wound,” he says.

As with all things security, it’s always easier for the blackhat to figure out how to get around one weakness then it is for the whitehat to figure out how to cover all the bases, and I don’t see that changing anytime soon.

For those of us that have to deal with the mess that is SOX compliance, there may be some help on the way. SOX compliance is an expensive process that (IMHO) can cripple smaller companies with little in the way of payback. After over a year of wrangling, the SEC recently approved guidelines “that would allow executives to focus their attention on factors most likely to trigger financial misstatements.”

The agency’s guidelines, combined with a revised auditing standard from the Public Company Accounting Oversight Board are aimed at ending more than a year of debate over whether the law’s costs outweigh its benefits.

The SEC guidance will be coordinated with changes to audit rules that the Public Company Accounting Oversight Board will vote on Thursday. The board, an independent panel formed under Sarbanes-Oxley, wants to reduce auditor testing by encouraging accountants to rely on work companies have already done.

With SOX Compliance becoming big business in recent years I’m sure there are some people not excited about the news, but hopefully the rest of us can benefit from a reduced cost in audit compliance and more budget available for other things.